When Defense Contractors Go Rogue: A Week of Supply Chain Wake-Up Calls

Page content

When Defense Contractors Go Rogue: A Week of Supply Chain Wake-Up Calls

You know that sinking feeling when you realize the call is coming from inside the house? That’s exactly what happened this week with the Peter Williams case, and honestly, it’s keeping me up at night thinking about the implications for all of us in the security community.

Williams, a former executive at a U.S. defense contractor, just got sentenced to 87 months in prison for selling cyber exploits to Russian brokers. Let that sink in for a moment. This wasn’t some external breach or sophisticated social engineering attack – this was someone with legitimate access to sensitive tools deciding to cash in by selling them to our adversaries.

The Treasury Department followed up by sanctioning the Russian exploit broker who was buying these stolen zero-days. It’s a classic supply and demand problem, except the commodity being traded could potentially compromise critical infrastructure or military systems.

The Insider Threat Reality Check

What really gets me about this case is how it highlights the blind spots we have around insider threats. We spend enormous amounts of time and money building walls to keep the bad guys out, but what happens when the bad guy already has a badge and legitimate access? Williams had the keys to the kingdom, and he chose to hand them over to foreign adversaries.

This isn’t just about one rogue employee, either. It’s about the systems and processes we have in place to detect when someone with privileged access starts acting outside normal parameters. Are we monitoring for unusual data access patterns? Do we have proper segregation of duties? Are we doing regular security clearance reviews that go beyond just checking boxes?

SolarWinds: Déjà Vu All Over Again

Speaking of supply chain concerns, SolarWinds is back in the headlines, though this time it’s them doing the patching rather than being the victim. They’ve released fixes for four critical vulnerabilities in their Serv-U file transfer software, all rated 9.1 on the CVSS scale.

The most concerning of these is CVE-2025-40538, which involves broken access control that lets attackers create system admin users and execute arbitrary code. Given SolarWinds’ history, I imagine security teams everywhere are prioritizing these patches. The company has been working hard to rebuild trust since the 2020 supply chain attack, and staying on top of vulnerabilities like this is crucial for that effort.

If you’re running Serv-U in your environment, this should be at the top of your patch priority list. Remote code execution with admin privileges is basically game over in most scenarios.

GitHub Copilot’s Unexpected Attack Vector

Here’s something I didn’t see coming: attackers are now abusing GitHub Issues to compromise repositories through Copilot. The attack works by injecting malicious instructions into GitHub Issues that get automatically processed when someone launches a Codespace from that issue.

This is particularly sneaky because it exploits the trust relationship between developers and AI-assisted coding tools. We’re all getting comfortable with Copilot suggesting code and helping with development tasks, but this attack shows how that convenience can be weaponized.

The broader lesson here is that as we integrate AI tools more deeply into our development workflows, we need to think carefully about the attack surface we’re creating. Every automation and convenience feature is also a potential vector for abuse.

Active Exploitation Alert: FileZen

CISA added another vulnerability to their Known Exploited Vulnerabilities catalog this week: CVE-2026-25108 in FileZen. This one’s an OS command injection flaw that lets authenticated users execute arbitrary commands on the system.

What makes this particularly concerning is that it’s being actively exploited in the wild. File transfer solutions like FileZen are often deployed in ways that make them attractive targets – they’re frequently internet-facing and handle sensitive data movement between organizations.

If you’re running FileZen, you need to patch this immediately. And if you’re not sure whether you have it deployed somewhere in your environment, now would be a good time to do an asset inventory. These file transfer tools have a way of showing up in unexpected places.

The Common Thread

Looking at all these incidents together, there’s a clear pattern emerging around supply chain security and trusted relationships. Whether it’s a defense contractor employee selling exploits, vulnerabilities in widely-used software like SolarWinds, AI tools being manipulated through trusted channels, or file transfer solutions being compromised, the attacks are coming from places we typically consider safe.

This reinforces something we all know but sometimes forget in practice: trust but verify isn’t just a catchy phrase. We need robust monitoring, regular security reviews, and defense-in-depth strategies that assume compromise at every level. The perimeter isn’t just at the network edge anymore – it’s everywhere.

Sources