The `left-pad` incident was 10 years ago today.

https://en.wikipedia.org/wiki/Npm_left-pad_incident

Thankfully, we've completely solved software supply chains in the years since.

[RSS] LLVM Adventures: Fuzzing Apache Modules

https://pwner.gg/blog/2026-03-20-apatchy

🤞https://open.substack.com/pub/chinatalk/p/how-claude-opened-the-strait-of-hormuz

looks like anthropic got rid of the claude refusal triggering string :(

This is my analysis (and PoC) for CVE-2026-20817, a privilege escalation in the Windows Error Reporting service.

👉 https://itm4n.github.io/cve-2026-20817-wersvc-eop/

Credit goes to Denis Faiustov and Ruslan Sayfiev for the discovery.

TL;DR A low privilege user could send an ALPC message to the WER service and coerce it to start a WerFault.exe process as SYSTEM with user-controlled arguments and options. I did not achieve arbitrary code execution, but perhaps someone knows how this can be done? 🤷‍♂️

Google Search using AI to rewrite headlines

https://www.theverge.com/tech/896490/google-replace-news-headlines-in-search-canary-coal-mine-experiment

NetAskari believes a recent hack and leak from China's National Super Computer Center of China (NSCC) might be real

https://netaskari.substack.com/p/chinas-massive-data-leak-of-military

@airwhale @13reak Ironically, the publisher went out of business shortly after this article (and its follow-up) came out because the no-ads, optional subscription model didn't work out for them...

@jerry yes + they had that likely related fuckup with the not-really-revoked cert, resulting in the compromise of their gov cloud.

@jerry You mean other than the recent MS thing?

Has anyone ever heard of a security breach of a Fedramp moderate or higher authorized environment? I mean the parts that are authorized.

@airwhale @13reak

"companies spending money with the adtech companies do see returns" - Not necessarily, as measuring conversion rates is not easy. If you see that without G your visits plummet (as measured by G) you go back to G. Recommended:

https://thecorrespondent.com/125/the-non-sense-of-online-advertising-when-the-numbers-dont-add-up

I'm not familiar with news specifically, but I assume they don't partner with advertisers directly, but through an ad network, which is in the end owned by Meta or G, who can ~arbitrarily set their prices/payouts?

A vulnerability in a Linux enterprise app can allow attackers root access over devices

The issue impacts Himmelblau, an interoperability suite to integrate Linux with Entra ID and Intune networks.

https://www.akamai.com/blog/security-research/2026/mar/cve-2026-31979-symlink-root-privilege-escalation-himmelblau

NTLM and SMB go opt-in

https://daniel.haxx.se/blog/2026/03/22/ntlm-and-smb-go-opt-in/

#curl

@sassdawe lol OK that makes sense :D I thought you want to exclude advertisers.

@sassdawe Who would scare away their best customers (in this case, companies with the highest turnover rates)? :)

@13reak @airwhale Yes, this is what I mean.

You are right that these are extremely powerful tools, still I feel like most customers (by count, not invoices) are just burning their money on adtech, because that's what everybody does, while you don't have to be Nassim Taleb to see that the numbers justifying the spend are rigged.

@13reak @airwhale Oh GDPR avoidance is a great reason to operate like this!

I think we are talking about different things re: company revenues: as I understand these companies use data to do marketing - this can be translated to money, sure. But how is it possible that these marketing companies work with finances comparable to e.g. Exxon?