Every exhibit, newest first.

April 30, 2026. A kernel LPE that has lived in every major Linux distro since 2017 is now public, with a 732-byte exploit. You manage a multi-tenant Kubernetes cluster.

The morning of December 4th, 2025. A critical RSC vulnerability is on the front page. Your app is on Next 15.4. You have an hour before standup.

September 8, 2025. A single phishing email gives an attacker the npm account for `chalk`, `debug`, and sixteen other packages with 2.6 billion combined weekly downloads. The malicious versions sit live for two and a half hours.

March 14, 2025. A widely-used GitHub Action is overnight rewritten so every tag, v1, v44, v45, points at one malicious commit. Every workflow that pinned by tag now exfiltrates its secrets to the build log.

A CI run printed a token because someone added `set -x` to debug a failing step. The log is public.

July 1, 2024. Qualys publishes a working unauthenticated RCE against the OpenSSH server, a regression of an 18-year-old CVE that quietly returned in 2020. Your fleet runs sshd on every host.

June 2024. The polyfill.io domain quietly changes hands. The same <script> tag on a hundred thousand websites starts serving conditional malware to mobile users. Yours might be one of them.

March 29, 2024. A Postgres engineer notices sshd is half a second slower on his test box. The investigation that follows uncovers a two-year supply-chain operation against every Linux distribution.

A small startup pushed a build with the wrong directory listed as public. You arrive after the bots have already noticed.

December 2023. Researchers show a middlebox can truncate the SSH handshake just before NEWKEYS, downgrading your channel without triggering the hostkey warning you were trained to trust.

October 2023. Google, AWS, and Cloudflare coordinate disclosure: a flaw in HTTP/2 stream cancellation lets a handful of TCP connections tie up origin CPU, the largest layer-7 attacks measured to date.

October 2023. A memory read goes past the end of a header buffer on NetScaler ADC and Gateway before patch 14.1–12.1. Session tokens leak to strangers.

A login at 04:11 from a country no one on the team has ever visited. Trace what they did before the team woke up.

June 2023. Progress Software emergency-patches MOVEit Transfer while Cl0p claims hundreds of victims. The bug is pre-auth SQLi on the web tier, data exfil before ransomware ever loads.

March 2023. VoIP vendor 3CX ships a desktop app update that contains a decade-old chat library, and something newer that phones home from your sales floor.

March 2022. A bad commit from 2010 meets Spring MVC on Tomcat 9 + JDK 9+. Query parameters become write primitives under the right classpath layout.

December 2021. A string in a log line should be inert. In Log4j 2.x, it is a remote code execution primitive, through LDAP, through your own logging pipeline.

May 7, 2021. Colonial Pipeline proactively halts fuel flows on the largest U.S. refined-products line. The headline says ransomware, your job is what the logs say about ingress.

March 2021. Microsoft discloses four Exchange zero-days actively exploited in the wild. The first stone in the chain is an unauthenticated SSRF against `/owa/auth/` paths.

July 2020. CVE-2020-5902 drops: unauthenticated attackers can run arbitrary commands through the Traffic Management User Interface. Your SOC ships a block rule at 03:00 local, already late.

December 2020. FireEye discovers its own red-team tools were stolen, not by spear-phishing, but through a trojaned update to enterprise network monitoring software.

September 2017. Equifax announces 147 million consumer records exposed. The ingress was a patched-but-unapplied Struts bug, and nine digits of consequence.

May 12, 2017. NHS trusts see BSOD cascades. A worm encrypting files at line speed is spreading through SMBv1 using an exploit stolen from Equation Group, until someone registers a nonsense domain.

Fall 2016. DVRs and IP cameras ship with telnet open and passwords printed on a sticker nobody changed. Someone publishes src.zip and the internet learns a new verb: `load`.

September 24, 2014. Someone realises you can stash arbitrary bash commands in HTTP headers and have them executed by CGI scripts. Half the web runs bash as `/bin/sh`.

April 2014. A keep-alive feature in OpenSSL can return a slice of process memory to any client. Private keys, session cookies, passwords, all adjacent to the heap for a moment.

June 2010. A Belarusian AV company publishes a strange Windows worm. It talks to Siemens PLC software, carries stolen Realtek certificates, and spreads through USB sticks.

November 2008. MS08-067 ships for a critical Server service RPC hole. Conficker spreads anyway, through patched gaps, weak passwords, and USB autoplay.

January 2004. Email subjects alternate between test, hello, and Mail Delivery System. The attachment is a scrap of shrapnel, and it opens outbound TCP 3127 on millions of desktops.

January 25, 2003. A single malformed UDP packet to SQL Server can own the process. Someone weaponises it into the fastest-spreading worm the internet had yet seen.

July 2001. IIS 4 and 5 answer a malformed GET to /.ida with a buffer overflow. Within hours the worm is scanning random IPv4 space for TCP 80.

May 2000. The subject line is ILOVEYOU. The attachment is a .vbs file. Within hours, outlook.exe is the fastest file-sharing network on Earth.

March 26, 1999. A Word macro arrives as list.doc from someone you know. By Monday the mail servers at Intel and Microsoft are holding tens of thousands of copies.

April 1998. A student in Taiwan ships a parasitic .exe. It lies dormant until Chernobyl's anniversary, then it overwrites the flash BIOS on thousands of PCs.

November 2nd, 1988. Something is wrong with ARPANET, mail delays, logins failing, machines falling over. You're the grad student on duty who gets the phone call.

An old UNIX timeshare in 1988. The password file is world-readable. This is why we have shadow.