Now Playing
Exchange CVE-2026-42897 & TanStack Supply Chain Hit OpenAI
Audio is available on Spreaker — see link below.
Microsoft Exchange is under active attack via CVE-2026-42897 as CISA mandates a May 29 federal deadline, while a TanStack supply chain attack compromised OpenAI developer devices and forced a mass certificate revocation. Today's briefing breaks down both escalation chains and what security teams need to do now.
Audio is available on Spreaker — see link below.
Microsoft's on-premises Exchange Server is under active attack right now. CVE-2026-42897 is a cross-site scripting flaw in Exchange's web interface, and it's being exploited in the wild via crafted emails.
Microsoft deployed the Exchange Emergency Mitigation Service, which enables a URL rewrite rule by default while a permanent patch is still pending. Here's the practical wrinkle: some administrators are seeing a "Mitigation invalid" status message even when the mitigation has applied successfully.
The second major story involves a supply chain attack that reached OpenAI. The vehicle was TanStack, a widely used npm package ecosystem.
What followed at OpenAI was the more structurally interesting consequence. Because employee devices with signing authority were compromised, OpenAI revoked iOS, macOS, and Windows signing certificates.
These two incidents share a structural logic. Exchange is being hit through its web interface.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.