Now Playing
Supply Chain, DBIR's 19-Year Break & DirtyDecrypt Escalation
Audio is available on Spreaker — see link below.
A poisoned npm package breached Grafana, OpenAI, and Mistral AI in a single supply chain hit — while the Verizon DBIR reveals vulnerability exploitation has overtaken stolen credentials for the first time in 19 years. Today's briefing also covers DirtyDecrypt LPE, a Drupal emergency patch, the YellowKey BitLocker bypass, and the 275-million-user Canvas LMS breach.
Audio is available on Spreaker — see link below.
A single poisoned npm package has now been tied to confirmed breaches at Grafana Labs, OpenAI, and Mistral AI. One upstream compromise.
The Verizon twenty twenty-six Data Breach Investigations Report landed this week, and one number stands out above everything else. For the first time in the report's nineteen-year history, vulnerability exploitation has surpassed stolen credentials as the primary method attackers use to get in.
On the Linux side, a proof-of-concept exploit called DirtyDecrypt was published on May nineteenth for CVE-2026-31635, a privilege escalation flaw scoring seven point five on the CVSS scale. It affects Fedora, Arch, and openSUSE systems with a specific kernel configuration enabled.
Drupal announced an emergency core security release scheduled for May twentieth, covering versions eight through eleven. The specifics of the flaw weren't disclosed ahead of the patch, which is standard practice to limit pre-release exploitation.
The Canvas LMS breach, attributed to ShinyHunters, is still being investigated. Two separate incidents, April twenty-ninth and May seventh, are believed to have compromised names, email addresses, student IDs, and private messages.
The signal this week isn't any single breach. The signal is convergence.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.