CVE-2026-3854: any authenticated GitHub user could RCE the backend with a git push. Unsanitized semicolons in push options → X-Stat header injection → sandbox bypass → code execution.Same day, a survey of 18 months of supply chain attacks all tracing back to GitHub Actions.Same structural problem at two layers.New post: https://alexreed.srht.site/blog/github-rce-actions-weakest-link.html#infosec #supplychain #github #CVE

Hot take on supply chain attacks: STOP USING THE SUPPLY CHAIN!I propose that any software important enough to operate your company should be written entirely in house. Fuck all those random libraries and processes. If you ABSOLUTELY have to use an external bit of code, then explain to the security team and product managers why it can't be written in-house. But this is a pipe dream. iT TaKEs ToO LoNG! will be the cry from the counters of the beans. LINE MUST GO UP!!! they'll cry.#infosec #supplychain #obviousideas #capitalismIsADeathCult

Announcing Dependabot Configuration Enhancements: Cooldown and Group Support https://www.stepsecurity.io/blog/announcing-dependabot-configuration-enhancements-cooldown-and-group-support#Security #SupplyChain #DevSecOps