Linux Supply Chain How-To – PSW #928

Paul Asadoorian

1. The CVE Chase Must Stop

   We've talked about how defenders are playing catchup more than ever, here are some suggestions for better defense for us to discuss:

   • "Organizations must recognize that an attacker’s true success is not initial access — but access to critical assets. Defense should focus on preventing that. This means identifying weak configurations that allow access to sensitive resources and enforcing proper network segmentation to prevent lateral movement — even if one endpoint is compromised."
   • "Additionally, permissions should be minimized and aligned strictly with user identities and actual needs"
   • "Multi-factor authentication (MFA) must be enforced across all resources, especially sensitive ones. For high-risk actions (such as vendor payments), a “Four Eyes” principle should be implemented — requiring approval from a second person. This helps protect against compromised admin accounts."
   • Jeff will love this: "Finally, this entire framework must be continuously tested through penetration testing — ideally on an ongoing basis, which is now feasible thanks to AI. "
2. BSides312 2026: Security Basics Under New Pressure

   The mindset is a big part of security, especially when it comes to software security and supply chain, the author/presenter has this advice:

   " Stop leaning on personal access tokens where better options exist. Do not automatically trust :latest, and pin dependencies with cryptographic hashes or digests. Tags are not immutable, and attackers know how to move them. Lock down GitHub Actions, restrict runner permissions, remove passwordless sudo, and treat secrets in continuous integration and continuous delivery systems as high-value targets."

   Thoughts?

3. The Real Problem Isn’t AI Adoption, It’s the Enterprise Stack Behind It

   I am really digging this observation: "This is why many enterprise AI initiatives stall after the pilot phase. The problem is not the model. It is not prompt engineering. It is not even AI governance alone. The problem is the fragmented enterprise stack behind the AI layer. Disconnected platforms. SaaS sprawl. Legacy systems. Workflow silos. Duplicate operational tooling. Inconsistent data architectures. Weak observability. No orchestration layer. No enterprise AI operating model."

4. NIST’s Nine: The PQC Signature Race Moves to Round Three

   TL;DR: "On May 14, 2026, NIST announced nine finalists advancing to Round 3 of its Additional Digital Signatures for the Post-Quantum Cryptography standardization process — after 18 months of evaluation. The nine algorithms are FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign, and UOV, spanning lattice-based, multivariate, MPC-in-the-Head, isogeny, and symmetric-based approaches. Teams can now submit updated specs and tweaks, with this final evaluation phase expected to run approximately two more years before any new standards emerge. This is separate from the already-finalized FIPS 203/204/205/206 suite — NIST is hunting for signature diversity to reduce single-point-of-failure risk in the PQC portfolio."

5. AI-Assisted Exploit Development Outpaces Detection

   I'm not certain about the last part: "Threat actors are now actively using LLMs to accelerate exploit development — writing and modifying PoCs, automating network scanning, and handling privilege escalation scripting at scale. A key emerging capability is AI agents that can autonomously identify vulnerabilities in target environments and generate working exploits with minimal human input. On the defensive side, the cat-and-mouse game has shifted too: defenders are deploying AI-driven scanners to detect these AI-generated exploits in real time, though attackers are adapting their tooling specifically to evade automated detection pipelines" Also, this is interesting:

   • "Research found that 54% of all CVEs published since January 2025 lacked detection signatures from any of these vendors. Among those scanners, response times also varied, with median detection lag after disclosure measured 0.1 days for Tenable, 2.9 days for Qualys, and 5.1 days for Rapid7. "
   • This is next to impossible: ""The organizations in the best position right now are the ones that can answer 'Are we running affected software?' within minutes of a new CVE, independent of whether their scanner vendor has shipped a plug-in for it,"" - It relies too much on version detection, which is not sufficient for knowing "am I vulnerable?".
6. Hacking A Video Walkie Talkie’s TXW818 MCU And Running DOOM

   Why are we always running DOOM? Can't we do something more interesting?

7. Google publishes exploit code threatening millions of Chromium users
8. Vulnerability Embargos Are Dead

   Managing a vulnerability embargo is hard. When you find a vulnerability keeping it from being public until a specific day is difficult because:

   • What if more than one researcher found it?
   • What if it affects more then one vendor?
   • What if its open-source and the patch is committed and public?
9. Flipper One – we need your help

   I love the goals and challenges: "Build the most open and best-documented ARM computer in the world, with full mainline Linux kernel support. Push vendors to open up their existing closed-source code and ditch binary blobs entirely. Build an unconventional hardware platform based on a co-processor architecture that pairs a microcontroller with a CPU, and port tons of low-level MCU code. Rethink how people use Linux and develop our own GUI framework with wrappers around existing CLI utilities." - It's ambitious, and that's part of why I love it. Back in the day, we had Nokia handhelds that ran Linux; it was a fun toy, but it quickly ended up in a drawer in favor of a laptop or other devices. Some notes:

   • "Flipper One comes with several network interfaces: 2x Gigabit Ethernet, USB Ethernet (5 Gbps), and Wi-Fi 6E (2.4/5/6 GHz). You can add 5G connectivity by plugging in an M.2 modem. That means you can use Flipper One as a router, a VPN gateway, or a bridge between wired and wireless networks." - This is the perfect platform for so many projects, my MITM Beast for one.
   • Native open-source with no binary blobs - This is amazing for so many reasons, for one, it means the community can maintain code and add-ons forever...
   • It's a CPU and an MCU in one! - This is really cool, you can run full Linux on the CPU, and the MCU can run independently.
   • It has M.2, TWO Ethernets, USB (with network support), GPIO, and an HDMI port, a full one! - Expands so many possibilties, carry one device for all hacking needs. Sweet.

   While I am excited, there are many challenges to get this thing shipping. Its a lot of moving parts. Time will tell if we are every going to be able to get one...

10. Ghost hackers: the cybersecurity mystery that nobody has solved

    This still has me curious, who were the Shadow Brokers!

11. Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation
12. YellowKey: The Unpatched BitLocker Bypass Hidden in Windows Recovery

    Some things that many others are not saying about YellowKey, this bitlocker bypass. Also, Microsoft pulled the author's Github account, and Gitlab did as well.

Jeff Man

1. MITRE moves Caldera cybersecurity platform to Apache Foundation for broader open-source collaboration

   Good move or not? Necessary? Pragmatic? Or is there a motive we don't see

2. Roadmap for Wind Cybersecurity

   The answer my friend...

3. Data breach on New York public health system claims 1.8M victims, leaking biometric data to hackers

   "An investigation found cybercriminals had been inside its IT infrastructure since November 2025, stemming from a breach on an unnamed vendor the organization contracts with for services."

4. Canvas Data Breach: What Students, Parents, and Faculty Need to Know

   This continues to be bad, but I wonder if we need to distinguish in our "breach reporting" the difference between data compromise and data exposure?

5. Lawmakers Demand Answers as CISA Tries to Contain Data Leak

   More on the GitHub AWS GovCloud keys "exposure"... the fallout continues.

6. Krispy Kreme customers could get $3,500 in payouts after data breach

   Minimal compensations is $75 and a year of credit monitoring. That's enough for about six doughnuts!!!

7. 7-Eleven data breach affects over 185,000 people’s personal data

   This is consistent with DBIR reporting from 2025 (still haven't read the 2026 edition) that indicates a trend towards retailers/merchants being compromised for credentials and PII rather than payment card data.

8. BSidesHBG 2026

   Friday May 29th, 2026 PA Farm Show Complex and Expo Center Harrisburg, PA 8:00AM - 5:00PM

   Hope to see you there!

9. NaClCON

   Play Hard. Hack Harder. Really looking forward to hanging out with hacker friends old and new.

Joshua Marpet

1. Software Supply Chain is…less than optimal

   What packages are abandoned, and still downloaded? And how fast do you have to be to stay ahead of the supply chain attacks? Find out!!