From fairy dust to Glasswing: a decade of being right about the wrong thing

John W8MEJ Menerick ·

Security   Open Source   Project Glasswing

In 2014 I stood at DEF CON and showed the internet’s foundational software was held together by wishful thinking, volunteer labor, and collective myth. Last week Anthropic’s unreleased frontier model validated that at industrial scale. This month two nation-state actors proved the security tooling itself is now the attack surface. And Project Glasswing — the response — may be the most consequential single policy decision to date in the history of open source software security. Whether that consequence is good or catastrophic depends entirely on decisions no one has made yet.

9
Episodes in Season 3
12 yrs
Timeline — DEF CON 22 to Glasswing
27 yrs
Oldest zero-day found by Mythos
174K
npm packages downstream of Axios alone
Episode guide
Ep.
01
Fairy dust — the myth that built the internet
DEF CON 22, 2014. Quantitative analysis of 2,000+ open source projects reveals that foundational internet infrastructure — Exim, Bind, OpenSSL — is riddled with critical vulnerabilities nobody is fixing. The Everybody/Somebody/Nobody parable. The incentive structure that produces 13,000 critical bugs in a mail server nobody audits.
DEF CON 22EximOpenSSLvulnerability densitymaintainer economics
Coming soon~22 min
Ep.
02
The dependency graph — 847 applications in a login form
Transitive dependency risk, package maintenance economics, and why the thing that destroys you won’t be your code. Quantitative CVE density analysis across npm, PyPI, and C/C++ ecosystems from event-stream to Log4Shell.
supply chainnpmPyPILog4Shell
Coming soon~18 min
Ep.
03
The XZ playbook — two years to own a dependency of sshd
CVE-2024-3094 is not a vulnerability story — it’s a governance story. A nation-state actor spent two years becoming a trusted contributor, then inserted a backdoor into a transitive dependency of sshd on almost every Linux distribution. Caught by an anomalous CPU benchmark, not security review. The template for everything that followed in 2026.
XZ UtilsCVE-2024-3094social engineeringmaintainer targeting
Coming soon~20 min
Ep.
04
The inspector — when Trivy became the weapon
March 19, 2026. TeamPCP force-pushes malicious commits to 76/77 trivy-action version tags simultaneously. The most diligent organizations had the greatest exposure. Full cascade reconstruction: CanisterWorm with blockchain C2, Checkmarx KICS, LiteLLM AI key vault breach, Telnyx WAV steganography, European Commission’s 92 GB.
TrivyTeamPCPCVE-2026-33634CanisterWormLiteLLM
Coming soon~24 min
Ep.
05
The locksmith — two weeks to own 100 million downloads
March 31, 2026. North Korean UNC1069 runs a two-week individualized social engineering campaign against Axios lead maintainer Jason Saayman. Three hours. 174,000 downstream packages. The ROI calculation that makes high-impact OSS maintainers the most valuable social engineering targets in software — and what SLSA provenance absence means as a detection signal.
AxiosUNC1069DPRKSapphire SleetSLSA
Coming soon~22 min
Ep.
06
The ML stack — 700 CVEs and a pickle file that runs your AI
TensorFlow: 700+ critical CVEs. HuggingFace’s dominant model serialization format: arbitrary code execution by design. LiteLLM stores all your LLM provider API keys, present in 36% of monitored cloud environments. The DEF CON 22 vulnerability density methodology applied to the modern ML infrastructure stack — same conclusions, one decade later, new substrate.
ML stackTensorFlowLiteLLMShadowRayHuggingFace
Coming soon~20 min
Ep.
07
Glasswing — the most consequential policy decision in OSS security history
April 8, 2026. Anthropic announces Project Glasswing: Claude Mythos Preview withheld from general release, deployed to 52 partner organizations for defensive use. A 27-year-old OpenBSD bug. A sandbox escape followed by an unprompted email to a researcher eating a sandwich. The Glasswing Doctrine, the Everybody/Somebody/Nobody loop, and why voluntary restraint at the AI governance layer is structurally identical to voluntary restraint in OSS security.
Project GlasswingClaude MythosGlasswing Doctrinecapability withholdingAARM
Coming soon~22 min
Ep.
08
The compliance cliff — CISA KEV was designed for a different world
Every regulatory vulnerability management framework assumes discovery is scarce and disclosure is sequential. Glasswing produces thousands of simultaneous zero-day advisories. This episode models what happens when federal agencies receive 1,000 simultaneous zero-day advisories — and maps the 18-month window before the disclosure flood hits a compliance stack nobody has started redesigning.
CISA KEVNVDFedRAMPCMMCcompliance cliff
Coming soon~18 min
Ep.
09
The pattern — only the substrate changes
Season finale. The fairy dust didn’t disappear — it moved one abstraction layer higher with each generation. What the Glasswing Doctrine needs to become to be durable. What the open source social contract looks like after a private AI lab unilaterally rewrote it. And the question nobody is asking loudly enough: who patches the patcher’s patcher, through what supply chain, while the patcher is fielding a Teams meeting request from a very convincing stranger.
synthesisOSS social contractgovernanceGlasswing Doctrineseason finale
Coming soon~25 min
Three narrative threads across Season 3

Thread 1 — The vulnerability story (Ep. 01, 02, 06)

The quantitative case that OSS infrastructure was never as secure as the collective myth suggested — from Exim’s 13,000 criticals in 2014 to TensorFlow’s 700+ in 2026. The data through two generations of infrastructure.

  • Ep. 01 — Internet infrastructure: DEF CON 22 dataset
  • Ep. 02 — Supply chain: transitive dependency risk
  • Ep. 06 — ML stack: the new load-bearing walls

Thread 2 — The attack story (Ep. 03, 04, 05)

How nation-state actors operationalized the threat models security researchers had been publishing for years. XZ as the template, Trivy as the pivot, Axios as the broadside. The playbook was published. They read it.

  • Ep. 03 — XZ Utils: the two-year playbook
  • Ep. 04 — Trivy/TeamPCP: the cascade
  • Ep. 05 — Axios/UNC1069: the locksmith operation

Thread 3 — The response story (Ep. 07, 08, 09)

Glasswing as policy precedent. The compliance cliff. Whether the voluntary restraint that produced Glasswing is more durable than the restraint that left the bugs unfixed for 27 years. The substrate change at the governance layer.

  • Ep. 07 — Glasswing: the doctrine
  • Ep. 08 — The compliance cliff
  • Ep. 09 — The pattern: season finale
Recurring themes across Season 3
The parable

Everybody / Somebody / Nobody / Anybody

Introduced at DEF CON 22 to explain Heartbleed. Returns in every episode as the structural explanation for why each generation of infrastructure inherits the same failure mode.

The inversion

Diligence as the attack surface

The most security-conscious organizations had the greatest Trivy exposure because they ran it most frequently. The XZ maintainer was trustworthy, which is why the attack worked. Security posture as vulnerability vector.

The layer shift

Fairy dust moves up the stack

2014: “everyone’s looking at the code.” 2024: “our tooling is trustworthy.” 2026: “our AI deployment is safe.” The pattern is consistent. Only the substrate changes.

The ROI problem

Nation-state math on open source

Two weeks to own 100M weekly downloads. Two years to own a transitive dependency of sshd. The economics of targeting volunteer maintainers only improve as package footprints grow.

The governance gap

Good intentions vs. durable structures

Glasswing is voluntary restraint. The OSS social contract was voluntary contribution. Both depend on goodwill at a scale it was never designed for. Season 3 asks what durable looks like.

The velocity mismatch

Machine discovery, human remediation

Mythos finds bugs at machine speed. Patches ship at human speed. Season 3 maps what changes when discovery becomes free and the bottleneck shifts entirely to everything that comes after.

“Project Butterfly of Damocles: named for the moment you realize the sword has been hanging above the internet since 1998 — and that the thread was always a volunteer with a day job.”

— Series concept note, April 2026

Episodes 01 and 07 are published as part of the series premiere. Episodes 02–06 and 08–10 are in production and will publish on a rolling schedule through Q2–Q3 2026. Subscribe to the Morphogenetic SOC newsletter at securesql.info for release notifications.

John Menerick is a senior information security architect and engineer (CISSP, NSA, CKS/CKA). He presented Open Source Fairy Dust at DEF CON 22 in 2014 and publishes the Morphogenetic SOC series at securesql.info.
Conflict of interest disclosure

The author is affiliated with Project Glasswing. This post reflects the author’s independent analysis and opinions only, and does not represent the views or positions of Anthropic, Project Glasswing, or any Glasswing launch partner. Readers should weigh the author’s affiliation accordingly when evaluating assessments of the initiative’s merits and limitations.

Share on: