{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Neural Newscast","title":"Hugging Face LeRobot Flaw and Supply Chain Integrity [Prime Cyber Insights]","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/eac39f32\"></iframe>","width":"100%","height":180,"duration":235,"description":"Today’s briefing focuses on a critical unpatched vulnerability in Hugging Face's LeRobot platform, CVE-2026-25874, which allows for unauthenticated remote code execution via unsafe pickle deserialization. We also examine the compromise of the 'element-data' Python package, where attackers stole signing keys through a GitHub action flaw to exfiltrate credentials from over a million monthly users. The episode covers the exploitation of Robinhood's onboarding process for high-fidelity phishing and a corporate IT breach at medical giant Medtronic claimed by the ShinyHunters group. Finally, we look back at the discovery of 'fast16,' a sophisticated malware framework analyzed by SentinelOne that targeted high-precision mathematical calculations five years before Stuxnet. This episode connects these diverse incidents through the lens of supply chain vulnerability and the persistent risk of trusting unauthenticated data in production environments.","thumbnail_url":"https://img.transistorcdn.com/mkCnMvKg2YZJk2kZMcI1a1R5MdeCfMFSDLiEp95sLBs/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS84ZmVm/ZGJhOGNlMGI4ZDQ3/NGFlYzg3ZTk5NDVm/MDg5Zi5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}