Field Notes

Honest takes on CVEs, supply chain attacks, and the state of security. Terminal demos included.

My take: there's very little actual hacking happening out there. Most of what we call breaches are just bad security practices from organizations that can't keep up with threat actors who are now equipped with AI. The fix isn't buying more tools. It's doing the basics consistently.

Supply Chain2024-03-29

xz Utils: A Two-Year Social Engineering Job

A maintainer spent two years earning trust in an open-source project just to slip a backdoor into the build process. This wasn't hacking. This was patience.

Supply Chain2026-05-28

160 npm Packages Compromised. Auto-Update Did This.

Attackers hijacked a maintainer token and pushed malicious code to 160+ npm packages. Every project with auto-update pulled it in automatically.

Opinion2026-06-01

Most Breaches Aren't Hacking. They're Housekeeping Failures.

The industry loves the word 'hack.' The reality is most incidents are default credentials, unpatched systems, and misconfigurations that sat there for months.

CVE / AI Security2026-05-29

CVE-2026-39987: An AI Agent Got Root on a Database

An LLM agent with notebook access exploited a misconfigured database in under an hour. No human attacker involved, just an agent doing what it was told.

CVE2026-05-31

Redis Has Had a CVSS 10 RCE for 13 Years

A use-after-free in Redis's Lua scripting engine has been present since 2012. CVSS 10. If you run Redis, you're probably affected.

More notes on the way. For ongoing CVE coverage, check out the Southside CHI Solutions blog.