Updates on supply-chain security, vulnerabilities, attacks and mitigations. I try to summarize interesting articles I come across, and post these, targeting a biweekly cadence.
Vulnerabilities #
CVE-2026-46529: 10-year-old RCE in Linux PDF Viewer (XReader/Evince/Atril) #
Claude Code helped find a bug in several Linux PDF viewers
(Evince/Atril/XReader) that use the Evince codebase for rendering PDFs. The
author tried fuzzing, which did not yield results. Looking through the codebase
for suspicious code revealed the ev_spawn function, which is used to
implement the /GoToR (go-to-remote) PDF function, which is used to open
external documents. This function is implemented using an exec() call and is
susceptible to injection attacks, because injected parameters are not properly
shell-escaped.
Supply-Chain Attacks #
Investigating unauthorized access to GitHub-owned repositories #
GitHub was hit with a supply-chain attack involving a malicious VS Code extension. The attackers were able to exfiltrate the contents of 3800 internal git repositories used by GitHub.
Megalodon: Mass GitHub Repo Backdooring via CI Workflows #
5,561 GitHub repositories received malicious workflow commits which exfiltrate CI environment variables and various credentials (including AWS, GCP, SSH, databases, APIs, GitHub Actions). The commits which added the malicious GitHub workflow configurations were pushed straight to master with no pull-request, likely using a compromised personal access token or deploy key.
This attack does not affect downstream consumers of the affected packages, it only works to exfiltrate secrets from the CI pipelines, which would later give attackers the means to further compromise those affected packages.
TeamPCP’s Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages #
To quote from the article:
Mini Shai-Hulud is a true worm: after stealing credentials from one CI/CD pipeline, it enumerates every package that maintainer controls and publishes infected versions of each. The 2.3 MB obfuscated payload reads GitHub Actions runner process memory to extract every secret, harvests credentials from over 100 file paths spanning cloud providers, cryptocurrency wallets, AI tools, and messaging apps, and installs persistence hooks in Claude Code, VS Code, and OS-level services that survive reboots. Stolen data is encrypted and exfiltrated through the Session Protocol CDN and GitHub’s own GraphQL API, where dead-drop commits are authored as claude@users.noreply.github.com and disguised with Dependabot-style branch names drawn from Frank Herbert’s Dune universe.
Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident #
Grafana was affected by the TanStack NPM supply-chain ransomware event (also called the Mini Shai-Hulud attack). According to them, the attack did not affect customer production systems or the Grafana Cloud platform. Business contact names and email addresses that would be exchanged in a professional relationship context were leaked. Their reaction is to harden their CI and CD pipelines.
Reverse engineering android malware with claude code #
Not really software supply-chain security, but nevertheless interesting: cheap gadgets bought from Chinese vendors come pre-loaded with malware. Oftentimes, such hardware is used to implement residential VPNs: they allow other people to use your internet connection (and thus your IP address) to access the internet. These types of VPNs are popular because residential IP addresses often bypass detection systems for automated requests. This article contains a writeup examining an LED projector, figuring out how the malware is pre-loaded, and analyzing how it works.
Security #
Apple: A blueprint for formal verification of Apple corecrypto #
Apple is formally verifying their CoreCrypto framework, which implements post-quantum cryptography. They are using Cryptol and Isabelle to do so. Their verification efforts have surfaced real correctness issues.
CoreCrypto ships on billions of Apple devices, so a verified implementation removes a class of supply-chain risk from every system that depends on it. Verifying post-quantum primitives is particularly high-leverage: the algorithms are new and structurally complex, and implementation bugs are easy to miss in normal review or testing. The most useful signal from Apple’s writeup is that the work already surfaced real correctness issues — i.e. formal methods caught things conventional QA didn’t. It also fits a broader pattern this issue touches on (AWS’s s2n-tls, Jane Street’s growing interest per the Minsky talk below): formal verification is moving from “academic” to “practical at production scale.”
Cloudflare: Project Glasswing: what Mythos showed us #
Cloudflare talks about finding security issues with Mythos in their participation in Project Glasswing. They explain that in general, LLMs are useful at finding issues in code, but they work best when given direction and context. They also explain that the output can be very noisy, with false-positives being included in the output, and with the models not being able to express accurate certainty (hedging). Cloudflare explains the harness they use to refine the output.
The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes #
The article claims that CVE disclosure volumes are up sharply year-to-date (YTD) across several software suppliers, ranging from 100% to 500% increase compared to last year. Much of the growth of discovery of vulnerabilities can be attributed to the availability of LLMs.
The evidence appears to point to emerging AI models that have enabled software suppliers and security researchers to discover and remediate vulnerabilities that would have likely gone overlooked otherwise.
The article walks through several projects and companies, examining their vulnerability disclosures, closing with some thoughts about how this impacts software security:
What’s less clear is whether these volumes will be sustained, or whether this is a temporary surge as better AI models are pointed at different code bases and new models continue to surface vulnerabilities.
I think one graphic, produced by Mozilla, stands out and does a good job summarizing the situation:
Turso: How we used Quint to find over 10 bugs in SQLite while hardening Turso #
Quint is a specification language in the TLA+ family for modelling state machines and their transitions. From a spec you can model-check invariants and generate traces that explore behaviour conventional tests rarely reach.
At Turso, they used this to build a specification of the SQLite API, generated a list of traces, translated those into programs exercising both SQLite’s C API and Turso (the company’s SQLite-compatible re-implementation in Rust). In doing so, they were able to find and fix over 10 bugs in SQLite, in addition to improving Turso. To quote:
Formal methods, and Quint in particular, were able to explore parts of the specification that the Turso simulator previously could not. The general concepts are similar, but instead of generating a random sequence of SQL statements and enforcing system-level properties, Quint generates a list of traces that can then be translated into any substrate we want.
In this case, we translated Quint traces into a C program that interacted with the C API. Turso got better thanks to this endeavor. So did SQLite: at least 10 bugs were found, reported, and fixed.
SQLite is a magnificent piece of software that has been around and thoroughly tested for decades. And yet, bugs were lurking that previous disciplines did not catch. Formal methods did.
Mitigations #
GitHub: Staged publishing and new install-time controls for npm #
Staged publishing is available for NPM. With this opt-in change, pushes of new versions of packages (commonly originated from workflow runs) are not live immediately. Instead, they are pushed into a publish queue and need to be manually accepted. Also documented on the NPM docs.
Dependency cooldowns are unfair; we should use phased rollouts instead #
Scott Robinson argues that instead of dependency cooldowns (where downstream projects don’t update their dependencies to the latest versions, but the latest versions which have been released for at least N days), phased rollouts should be used.
I propose that instead of “everyone waits N days,” package managers should deterministically map projects into a rollout window based on stable inputs: a project-specific identifier, package name, version, and artifact digest. The result is a globally distributed adoption curve rather than timezone-based canaries.
Culture #
Open-Source Resistance: Keep OSS alive on company time #
A “radical” proposal for employees of tech companies to help maintain the open-source infrastructure the company depends on, on company time:
The Open Source software your work relies on is maintained by others who also work. Evenings and weekends alone cannot maintain it. Stop begging massively profitable companies for time to fix things. Join the Open Source Resistance: quietly, professionally and on company time, doing what needs done.
This relates to supply-chain security because this idea formalizes something that is already the case: the dependencies (supply-chain) are part of the product. Issues in dependencies lead to issues in company infrastructure or the product.
Now more than ever: building reliable software in the age of agents #
A talk Ron Minsky (of Jane Street) gave at Bug Bash 2026, discussing how to build reliable software in an age where AI agents exist. To quote from the description:
Ron stakes out their position that AI workflows should maximize human effectiveness and understanding rather than replacing humans entirely. At Jane Street, many traditional (aka pre-Claude) software engineering practices have become more important rather than less. Type systems help provide fast feedback and enforce invariants that agents can understand. Expect tests allow developers to see system behavior and create deterministic simulations at the library level. Code review remains crucial for maintaining code quality and human understanding, even though agents change the dynamics. Finally, he touches on Jane Street’s growing interest in formal verification, and the impact of agents making previously expensive approaches, like formal methods, more practical.