🕵🏻‍♂️ [InfoSec MASHUP] 23/2026 - Built Broken, Patched by Others.

Another week, another set of trojaned packages, hijacked registries, and one-click credential theft. The operational response is by now well-rehearsed: patch, rotate secrets, enable 2FA, audit your dependencies, check your CI/CD workflows. The patching teams are doing their jobs. The question this week's malware section keeps nudging at is a different one: why is so much of what they're patching broken at the point of creation?

The supply chain attack surface exists because the software ecosystem normalized shipping fast over shipping secure, because package registries scaled adoption without scaling trust infrastructure, and because the developer who published a package with a hardcoded credential and the organization running it in production are rarely the same person bearing the consequences. #IBM and #RedHat just committed $5 billion to fix this upstream. #CISA launched CI Fortify to help #OT operators survive worst-case scenarios downstream. Both efforts are necessary. Both are also symptoms of an industry that has spent decades externalizing the cost of insecure software onto the people least positioned to refuse it.

→ Week #23/2026 also covers: Palo Alto Networks Alto GlobalProtect auth bypass is actively exploited, Weil, Gotshal & Manges LLP reportedly paid $20M to keep client files quiet, and the #EU is moving to limit U.S. cloud in sensitive infrastructure

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-23-2026-built-broken-patched-by-others

If you find it useful, subscribe to get it in your inbox every weekend 📨

#infosecMASHUP #cybersecurity #infosec #threatintel #AI

🕵🏻‍♂️ [InfoSec MASHUP] 22/2026 - The Patch Is Scaling. So Is the Attack.

#Megalodon backdoored 5,500 #GitHub repositories in six hours. Not six days — six hours. Malicious commits silently replacing CI/CD workflows, hoovering tokens, cloud credentials, SSH keys, and environment variables before most of the affected projects had processed a single alert. The same week, #IBM and #RedHat announced a $5 billion commitment, called Project Lightwell, to securing the open source supply chain, #Anthropic's #Mythos model surfaced 23,000 potential vulnerabilities across 1,000 OSS projects, and Apple open-sourced its quantum-resistant crypto stack with formal verification proofs attached. The industry's response to supply chain risk is finally arriving at a scale that looks serious.

The problem is the math. The response is measured in billions of dollars and multi-year programs. The attack is measured in hours and automated tooling. Megalodon's six-hour window isn't an anomaly — it's a benchmark. Last week it was TeamPCP and the GitHub cascade. The week before, Laravel Lang and malicious postinstall hooks across 700 repos. The investment in defense is real and necessary, but it's being deployed against a threat that doesn't need a budget cycle to iterate. Project Lightwell will fund important work. Megalodon already shipped.

→ Week #22/2026 also covers: #ShinyHunters hit Carnival, Charter, and Mytheresa, the Dutch blocked a U.S. takeover of their national ID infrastructure, and Iran-linked actors are coding backdoors with AI assistance.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-22-2026-the-patch-is-scaling-so-is-the-attack

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI