Newsletter Issue #177: What I Read This Week

Another week, another supply chain close call. This really feels like a win in the end all things considered.

IYKYK.

Let’s get into it.

---

What I Read This Week

• Building Scalable Financial Infrastructure for Nonprofits in the Era of AI and Cloud Computing

  • Citation
    Zhou, Daniel (2025). Building Scalable Financial Infrastructure for Nonprofits in the Era of AI and Cloud Computing. figshare. Preprint. https://doi.org/10.6084/m9.figshare.30113638.v1

  • Interesting use case discussed for non profits via a platform utilizing Plaid Link and the Node.js frameowork
    

• New Really Simple Licensing spec wants AI crawlers to show a license - or a credit card

  • TLDR is that these web crawlers ingest website content, which then gets used for training the AI models, this spec is to get the frontier companies to pay

  • This won’t be the end all, but is a good start

  • Could allow for a standard for “fair use” access to be supported
    

• Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework

  • Modeling how attackers operate in the framework they’re calling the AI Kill Chain

  • The example walkthrough is going over a RAG application and how it might be used to exfiltrate data
    

• Scams picking up on Substack

  • This one targeting subscribers via Chat

  • The thinking is there’s a certain level of trust in a subscribers chat, and people’s guards are lower

  • Between ones like this and GoFundMe scam campaigns, they’re getting rampant

• Ransomware operations ceased by Scattered Spider, others

  • They announced the end of their operations on a BreachForums hosted page, followed by their Telegram channel, for now

  • The campaign targeted over 700 organizations worldwide
    

• ctrl/tinycolor and 40+ NPM Packages Compromised

  • (This later became 500+ packages)

  • Once a single environment is compromised, the worm automates the spread by piggybacking on the maintainer’s publishing rights

  • It briefly compromised 25 NPM packages managed by CrowdStrike.

  • Most of the blast radius was taken down quickly

    

    Image of the attack flow from StepSecurity

  • The team at StepSecurity hosted a Community Office Hour going over the compromise and recovery strategy

• What the Salesloft Drift breaches reveal about 4th-party risk

  • Goes over the idea of being breached through a vendor’s acquired company, referred to as a “fourth-party”

  • How integrations, OAuth tokens, and permissions through acquired companies is a blind spot
    

• 11 System Design Concepts Explained, Simply

  • Concepts explained such as Horizontal vs Vertical Scaling, how to reduce latency and more

  • With AI making development (code generation) ubiquitous, the real skill going forward will be in system design

---

Wrapping Up

This week involved developments around AI and the path forward, and a lot of supply chain/third-party risk. If some of this sounds familiar that’s because it is.

See you in the next one.

---