Patterns.

The tools and credentials that authorize access to your systems are now the attack surface.

A component whose bug-class keeps recurring. Patches address symptoms; the design holds the primitive.

Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.

Single maintainer account gates publishes to millions. One compromise ships to every downstream.

The window between credential compromise and detection. Every action in that window is legitimate.

The privileged action of your security tool becomes the attack. Defender's hands become attacker's hands.

External content feeds an interpreter that treats it as instructions. Prompt injection is one instance.

Individually safe components that compose into an attack. Nobody owns the intersection.

Git tags, date-labeled artifacts, the latest tag. Treated as pinned. Not.

The attack does not steal. It makes the defender permanently blind to a class of events.

The sandbox, scanner, or SOC tool is itself the attack surface.

A 'race condition' that's actually deterministic. Attacker controls timing because the other side hasn't run yet.

No auth required to write a file into a path the server executes. Webroot upload, CGI drop, etc.

The bug class is too fundamental to the design. Patches close instances; the primitive remains.

The capability the researcher didn't ship tells you what the capability is. Read what's commented out.

'We weren't breached' via a narrow reading of their own terms. Non-denial denial.

A PoC that ships a full weaponizer behind a 'for authorized testing only' disclaimer.

Security gate can't decrypt/validate a message and forwards it anyway. Logs the failure, does the action.

Managed file transfer products carry the payload and the trust. Now carry the breaches.

CSRF tokens mistaken for authentication. Valid nonce does not equal authenticated caller.

A trust check that reads shared prototype state. Attacker writes once, every object reports trusted.

Worm pattern in a package registry: infected package harvests credentials, publishes to the next.

Hardware wallet / HSM / signer shows one thing, signs another. Trust boundary lives at the rendering layer.

The fix was in a comment. The code shipped without it. Audit your oldest TODOs.

A new ecosystem replaying every lesson the old ones learned. Same registry shape, same provenance gap.

Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.