RedSun: How Windows Defender's Remediation Became a SYSTEM File Write
2026-04-16A technical teardown of the RedSun zero-day — the second Defender escalation in two weeks from the same researcher — grounded in the actual source code.
I write about systems that fail in interesting ways — vulnerability classes, broken trust models, cryptographic assumptions that turned out to be wrong, and occasionally the institutional dynamics that keep bad designs alive longer than they should be.
I've been in the hash-and-trust business since before most CVE programs existed.
SAP NetWeaver CVE-2025-31324: When CVSS 10.0 Means What It Says
2026-04-11An unauthenticated file upload to webroot in one of the world's most critical business platforms. The attack is simple. The exposure is not.
Axios, Sapphire Sleet, and 70 Million Weekly Installs
2026-04-01North Korea compromised the most-used HTTP client in the JavaScript ecosystem. The mechanism was a single compromised npm account.
TeamPCP Came for the Scanners
2026-03-30The March 2026 supply chain campaign didn't just compromise popular packages. It compromised Trivy and Checkmarx — the tools you use to detect supply chain compromises.
Oracle Cloud: The Breach They Technically Didn't Deny
2026-03-26Six million records, three weeks of denial, and a lesson in how large vendors parse their own security commitments.
Prompt Injection Is a Supply Chain Attack
2026-02-18AI agents execute tool calls based on content from external sources. That content is attacker-controlled. The security industry hasn't caught up.
MCP Servers: The New npm Left-Pad
2026-01-28AI agents install MCP servers to gain tools. The MCP server ecosystem has no code signing, no security audit, and no mechanism to verify a server does what it claims. We've been here before.
Shai-Hulud: The First npm Worm
2025-09-15A self-replicating worm tore through the npm ecosystem in September 2025. The mechanism was almost embarrassingly simple.
xrpl.js: The Official Package Was the Threat
2025-04-25Versions 4.2.1 through 4.2.4 of the official XRP Ledger JavaScript library exfiltrated wallet seed phrases. 4.2M weekly downloads. Discovered by accident.
CLFS: Ransomware's Favorite Kernel Driver
2025-04-24CVE-2025-29824 is the fifth exploited-in-wild LPE from the Windows Common Log File System driver. The driver has a design problem. The patch cycle hasn't addressed it.
CrushFTP CVE-2025-31161: MFT Is the Target Now
2025-03-29A pre-auth authentication bypass in CrushFTP. The vulnerability is interesting. Why MFT products keep showing up as primary targets is more interesting.
tj-actions: Mutable Tags Were Always a Lie
2025-03-15The GitHub Actions supply chain attack that exposed CI secrets for 23,000 repositories wasn't sophisticated. It was inevitable.
Bybit: $1.5B via a JavaScript Injection Nobody Was Looking For
2025-02-23Lazarus poisoned the Safe{Wallet} front end. Hardware wallets signed exactly what they were told. The security model worked perfectly. The trust model had a hole.
Ivanti: The Vulnerability Subscription
2025-01-17CVE-2025-0282 was exploited for at least 12 days before Ivanti disclosed it. Chinese APT had access to targeted networks while the patch was still being written. This is the third time in 12 months.