Skip to content

Blog

Takes on security, software, infrastructure, and whatever else is on my mind.

My take: there's very little actual hacking happening out there. Most of what we call breaches are just bad security practices from organizations that can't keep up with threat actors who are now equipped with AI. The fix isn't buying more tools. It's doing the basics consistently.
Opinion2026-06-01

Most Breaches Aren't Hacking. They're Human Failures.

The world loves the word 'hack.' The reality is that the biggest threat to any organization is the people inside it. Phishing, insider threats, default passwords, leaked credentials, or just someone holding the door open for a stranger.

CVE2026-05-31

Redis Has Had a CVSS 10 RCE for 13 Years

A use-after-free in Redis's Lua scripting engine has been sitting there since 2012. CVSS 10. If you run Redis, you're probably affected. Nobody noticed for over a decade.

CVE / AI Security2026-05-29

CVE-2026-39987: An AI Agent Got Root on a Database

An LLM agent with notebook access exploited a misconfigured database in under an hour. No human attacker involved, just an agent doing what it was told.

Supply Chain2026-05-28

160 npm Packages Compromised. Auto-Update Did This.

Attackers hijacked a maintainer token and pushed malicious code to 160+ npm packages. Every project with auto-update pulled it in automatically. The 'hack' was npm doing what it was designed to do.

Supply Chain2024-03-29

xz Utils: A Two-Year Social Engineering Job

A maintainer spent two years earning trust in an open-source project to slip a backdoor into the build process. This wasn't a technical exploit. It was social engineering with a very long fuse.

More notes on the way. For ongoing CVE coverage, check out the Southside CHI Solutions blog.