Every exhibit, newest first.

11 May 2026. GTIG publishes disruption of a mass-exploitation-ready Python zero-day: valid-password session first, second factor skipped via a contradictory trust shortcut in auth flow. Practice the defender read they describe.

May 14, 2026. A threat cluster publishes hundreds of look-alike packages and tampers with restore keys in public workflows. You prove cross-ecosystem reach from CI artefacts.

May 12, 2026. After CVE-2026-31431 mitigations land, one CI worker still shows odd text section mappings. You prove whether fragments of poisoned pages remain mapped in shared address spaces.

6 May 2026. CVE-2026-0300 reaches NVD the same day CISA adds it to the KEV catalog: unauthenticated RCE on PA-Series and VM-Series when the User-ID Authentication Portal touches untrusted networks.

Late April 2026. A tenant reports that `su` misbehaves on a shared node after a rival team's CI job ran. Press and vendor posts about CVE-2026-31431 (Copy Fail) land the same shift while NVD already listed the CVE on 22 April.

April 29, 2026. Users report that ‘SharePoint’ windows look almost right but strip security cues your org trained them to expect. IR ties the behaviour to CVE-2026-32202’s spoofing primitives plus a hurried phishing kit.

March 21, 2026. State-wide Canvas tenants see burst `/api/v1` traffic copying rubric exports. You correlate developer key logs with a wayward LTI integration.

March 10, 2026. A zero-click-looking WebKit crash hits two executive iPhones before the 26.5 fleet window. You trace the lure, crash logs, device rings, and wipe evidence.

February 18, 2026. A vendor SAS session shows a service account climbing from helpdesk laptop to domain admin in three hops. You read analyst notes and synthetic event excerpts only.

10 February 2026. CISA adds two related Microsoft protection-mechanism failures to the KEV catalog. Your proxy team already sees HTML smuggling attachments that match the CERT email template.

February 3, 2026. Help-desk chat lights up: executives forward a polished ‘IT verification’ portal that asks for BitLocker recovery keys. You walk chat transcripts, Intune exports, and a forged page hash.

January 6, 2026. A scanner hits a hidden Next.js route, then an export endpoint leaks ledger rows from a preview deployment. You trace the request chain from headers to middleware to blast radius.

The morning of December 4th, 2025. Access logs show odd Flight-shaped POSTs hitting production overnight. Only after you chase the noise do you match it to the React2Shell advisory.

September 8, 2025. A single phishing email gives an attacker the npm account for `chalk`, `debug`, and sixteen other packages with 2.6 billion combined weekly downloads. The malicious versions sit live for two and a half hours.

March 14, 2025. A widely-used GitHub Action is overnight rewritten so every tag, v1, v44, v45, points at one malicious commit. Every workflow that pinned by tag now exfiltrates its secrets to the build log.

A CI run printed a token because someone added `set -x` to debug a failing step. The log is public.

July 1, 2024. Qualys publishes a working unauthenticated RCE against the OpenSSH server, a regression of an 18-year-old CVE that quietly returned in 2020. Your fleet runs sshd on every host.

June 2024. The polyfill.io domain quietly changes hands. The same <script> tag on a hundred thousand websites starts serving conditional malware to mobile users. Yours might be one of them.

March 29, 2024. A Postgres engineer notices sshd is half a second slower on his test box. The investigation that follows uncovers a two-year supply-chain operation against every Linux distribution.

A small startup pushed a build with the wrong directory listed as public. You arrive after the bots have already noticed.

December 2023. Researchers show a middlebox can truncate the SSH handshake just before NEWKEYS, downgrading your channel without triggering the hostkey warning you were trained to trust.

October 2023. Google, AWS, and Cloudflare coordinate disclosure: a flaw in HTTP/2 stream cancellation lets a handful of TCP connections tie up origin CPU, the largest layer-7 attacks measured to date.

October 2023. A memory read goes past the end of a header buffer on NetScaler ADC and Gateway before patch 14.1–12.1. Session tokens leak to strangers.

A login at 04:11 from a country no one on the team has ever visited. Trace what they did before the team woke up.

June 2023. Progress Software emergency-patches MOVEit Transfer while Cl0p claims hundreds of victims. The bug is pre-auth SQLi on the web tier, data exfil before ransomware ever loads.

March 2023. VoIP vendor 3CX ships a desktop app update that contains a decade-old chat library, and something newer that phones home from your sales floor.

March 2022. A bad commit from 2010 meets Spring MVC on Tomcat 9 + JDK 9+. Query parameters become write primitives under the right classpath layout.

December 2021. A string in a log line should be inert. In Log4j 2.x, it is a remote code execution primitive, through LDAP, through your own logging pipeline.

May 7, 2021. Colonial Pipeline proactively halts fuel flows on the largest U.S. refined-products line. The headline says ransomware, your job is what the logs say about ingress.

March 2021. Microsoft discloses four Exchange zero-days actively exploited in the wild. The first stone in the chain is an unauthenticated SSRF against `/owa/auth/` paths.

July 2020. CVE-2020-5902 drops: unauthenticated attackers can run arbitrary commands through the Traffic Management User Interface. Your SOC ships a block rule at 03:00 local, already late.

December 2020. FireEye discovers its own red-team tools were stolen, not by spear-phishing, but through a trojaned update to enterprise network monitoring software.

September 2017. Equifax announces 147 million consumer records exposed. The ingress was a patched-but-unapplied Struts bug, and nine digits of consequence.

May 12, 2017. NHS trusts see BSOD cascades. A worm encrypting files at line speed is spreading through SMBv1 using an exploit stolen from Equation Group, until someone registers a nonsense domain.

Fall 2016. DVRs and IP cameras ship with telnet open and passwords printed on a sticker nobody changed. Someone publishes src.zip and the internet learns a new verb: `load`.

September 24, 2014. Someone realises you can stash arbitrary bash commands in HTTP headers and have them executed by CGI scripts. Half the web runs bash as `/bin/sh`.

April 2014. A keep-alive feature in OpenSSL can return a slice of process memory to any client. Private keys, session cookies, passwords, all adjacent to the heap for a moment.

June 2010. A Belarusian AV company publishes a strange Windows worm. It talks to Siemens PLC software, carries stolen Realtek certificates, and spreads through USB sticks.

November 2008. MS08-067 ships for a critical Server service RPC hole. Conficker spreads anyway, through patched gaps, weak passwords, and USB autoplay.

January 2004. Email subjects alternate between test, hello, and Mail Delivery System. The attachment is a scrap of shrapnel, and it opens outbound TCP 3127 on millions of desktops.

January 25, 2003. A single malformed UDP packet to SQL Server can own the process. Someone weaponises it into the fastest-spreading worm the internet had yet seen.

July 2001. IIS 4 and 5 answer a malformed GET to /.ida with a buffer overflow. Within hours the worm is scanning random IPv4 space for TCP 80.

May 2000. The subject line is ILOVEYOU. The attachment is a .vbs file. Within hours, outlook.exe is the fastest file-sharing network on Earth.

March 26, 1999. A Word macro arrives as list.doc from someone you know. By Monday the mail servers at Intel and Microsoft are holding tens of thousands of copies.

April 1998. A student in Taiwan ships a parasitic .exe. It lies dormant until Chernobyl's anniversary, then it overwrites the flash BIOS on thousands of PCs.

November 2nd, 1988. Something is wrong with ARPANET, mail delays, logins failing, machines falling over. You're the grad student on duty who gets the phone call.

An old UNIX timeshare in 1988. The password file is world-readable. This is why we have shadow.