Complete static archive of GigaTap articles about VPN, privacy, OPSEC, and security.
- Laravel-Lang compromise shows the risk inside release tags - A reported compromise of Laravel-Lang PHP packages used rewritten git tags and Composer autoload behavior to run a cross-platform credential stealer.
- Packagist attack shows a blind spot in mixed PHP builds - Eight Packagist packages were reportedly modified to run a Linux binary via GitHub Releases, with malicious code placed in package.json rather than compose
- Pixel TPU access gets a real developer workflow - Google’s Tensor ML SDK beta gives developers a LiteRT path to run supported ML and GenAI models on Pixel 10 TPUs, with real promise and clear limits.
- TeamPCP shows how trusted developer updates fail - A reported TeamPCP wave hit VS Code, PyPI, and npm paths in one week. The lesson is release-level trust, not publisher badges.
- TrapDoor Shows How Package Malware Hunts Developer Secrets - Socket reports an active cross-registry campaign using npm, PyPI, and Crates.io packages to steal wallets, tokens, SSH keys, cloud credentials, and develop
- Underminr Shows a CDN Trust Gap Defenders Can’t Ignore - A reported CDN routing weakness can make malicious traffic look like it is going to trusted domains. The risk is not just domain fronting. It is broken cor
- A Judge, a Trump Lawsuit, and a Recusal Question - FPF says a Florida judge ruled for Trump in a Pulitzer-related defamation case while seeking a federal judgeship from Trump’s administration.
- AI-assisted macOS exploit work is the real signal - A short Schneier item claims Anthropic’s Mythos model was used in work on a macOS kernel memory corruption exploit. The useful takeaway is not panic, but a
- AI Security Risk Is Mostly Governance Failure - Zapier’s AI security checklist points to a practical problem: unmanaged tools, sensitive uploads, and weak account controls create more immediate risk than
- Fast16 and the old lesson in destructive malware - Risky Business #835 points to a useful warning: destructive malware is not only a current incident problem. It is also a history problem, and the timeline
- Fuel Tank Gauges Are a Quiet Infrastructure Risk - Internet-exposed automatic tank gauge systems can give attackers a low-cost path into fuel operations. The risk is less about drama and more about weak acc
- Gaming Security Is Bigger Than Player Accounts - Microsoft’s gaming security framing shows why platforms, studios, commerce, identity, player safety, and unreleased IP must be treated as one connected ris
- GitHub’s poisoned extension incident shows a quiet supply-chain gap - GitHub says a malicious third-party VS Code extension compromised an employee device and led to exfiltration of internal repositories. Customer repository
- Identity Checks Need Device Trust Too - Stolen sessions and compromised endpoints can make valid logins look safe. Device verification helps close that gap, but it is not a silver bullet.
- Internet Shutdowns Need a Plan Before the Cut - EFF’s guide is less about one magic app and more about preparation: radios, mesh tools, email fallbacks, satellite links, and the limits of each.
- Kimwolf arrest shows the cost of forgotten IoT devices - Canadian authorities arrested an Ottawa man accused of operating Kimwolf, an IoT botnet tied to massive DDoS attacks. The case is still alleged, but the ri
- Laravel Lang attack shows how package tags can betray trust - Snyk says hundreds of historical Packagist versions for Laravel localization packages were republished with credential-stealing malware. The key failure wa
- Meta reach blocks put rights speech in the dark - Access Now says Meta blocked human rights accounts from reaching audiences in Saudi Arabia and the UAE. The key issue is not only the block, but the lack o
- Microsoft Security’s May update points at AI-era control - Microsoft’s May 2026 security roundup signals a continued push toward visibility, control, and protection across expanding cloud, SaaS, and AI-driven envir
- Mini Shai-Hulud hits npm and CI trust paths - A fresh Mini Shai-Hulud campaign compromised npm packages, GitHub Actions, and PyPI entries, turning maintainer trust and CI secrets into the attack surfac
- Mullvad Exit IP Fingerprinting: Small Signal, Real Linkability - Mullvad disclosed a VPN exit IP assignment issue that may let sites correlate sessions across servers without exposing identity.
- OmniRoute looks useful. Review it like infrastructure - OmniRoute promises one endpoint for many AI providers and coding tools. Before adopting it, review deployment, keys, fallback, compression, and failure mod
- SAST, SCA, DAST: Know What Each Tool Can Actually See - SAST, SCA, and DAST are not interchangeable AppSec tools. Each sees a different layer of software risk: proprietary code, dependencies, and runtime behavio
- Shai-Hulud Shows the Weak Link: Maintainer Trust - Sonatype says a new npm compromise wave abused trusted maintainer access and install-time hooks. The risk is not just bad packages, but stolen CI/CD secret