The Supply Chain Just Became Your Biggest Security Threat
A backdoored disk tool, AI vulnerability scanners, and Reddit's mobile lockdown reveal a brutal truth: the weak link isn't your code anymore—it's everyone else's.
Daemon Tools got hacked. Not in the way you’d expect—not some dramatic zero-day in the kernel, not a clever social engineering angle. Someone poisoned it at the source, quietly, for a month straight.
If you’ve been in tech longer than five minutes, you know what this means. The attack surface just got a lot bigger, and we’re all standing in it.
Photo by Jan van der Wolf / Pexels
The Daemon Tools Precedent
Here’s what happened: Daemon Tools, a disk imaging utility that’s been around since 2002 and installed on millions of machines, got backdoored in a supply-chain attack that ran for weeks. A month. Thirty days of silent compromise. The company discovered it, disclosed it, and now we’re all supposed to update and move on.
Except that’s not how this works anymore.
Daemon Tools wasn’t some fringe utility. It’s the kind of thing enterprises have whitelisted in their security policies because it’s been around forever. It’s trusted. That’s precisely what made it valuable to attack. You don’t compromise something obscure—you compromise something so embedded in the infrastructure that nobody’s really watching it closely.
This follows the exact playbook we’ve seen before. SolarWinds in 2020. XZ Utils in 2024 (which almost made it into Linux distributions). The pattern’s become almost predictable: find something ubiquitous, something that nobody’s actively monitoring because it’s so boring and old that it just works, then inject your malware at the source.
The difference now? There are more chokepoints than ever.
Where AI Vulnerability Scanning Becomes Real
Then Mozilla drops this: they’ve got a tool called Mythos that found 271 vulnerabilities and produced “almost no false positives.”
Stop there. Read that again. Almost no false positives.
For twelve years I’ve watched vulnerability scanners. They’re noisy. They’re constantly crying wolf. Security teams spend half their time triaging false alarms—which means they spend half their time not fixing actual problems. It’s like having a smoke detector that goes off every time you cook.
Mythos is different. If Mozilla’s numbers hold up in the wild, this is the moment when AI actually does something security teams have been begging for: it cuts through the noise.
My read: this is going to change how breaches happen. Not because AI found more vulnerabilities—any decent scanner does that. Because it found them with signal instead of noise. That means companies can actually act on what they find. Which sounds great until you realize that the companies with the best security tools are going to be the ones catching up with what the Daemon Tools attackers already figured out months ago.
The math is cruel: better vulnerability detection only helps if you patch faster than attackers compromise. And supply-chain attacks don’t wait for your next Tuesday patch cycle.
Photo by UMA media / Pexels
The Valuation Bubble Nobody’s Talking About
While we’re worrying about security, Ramp just raised another $750 million at a $40 billion+ valuation.
That’s six months after hitting $32 billion.
I’m not here to be the guy who yells about valuations—that gets boring fast. But this tells you something: capital is still flowing into companies that look like they’ve figured out some aspect of the future, even when the core business model is contested. Ramp does spend management for enterprises. It’s a real product. People use it. But at a $40 billion valuation, it’s pricing in a future where it owns some enormous piece of enterprise finance infrastructure.
Compare that to Kodiak AI, which just raised $100 million at a “steep discount” and watched its stock tumble 37%. Kodiak’s in autonomous driving. Real product. Real contracts. Real pilots. But the market’s not convinced the upside justifies the valuation.
The gap between these two stories isn’t really about the companies. It’s about whether investors think you’re operating in a defensible market that compounds over time (Ramp) or whether you’re in a commodity arms race where every competitor is four months behind you trying to catch up (autonomous vehicles, for now).
That matters for security because the same logic applies. AI tools that are genuinely better at finding and stopping attacks? Those compound. Tools that are just incrementally better? Those get commoditized.
The Backdoor in Plain Sight
Reddit blocked people from accessing its mobile website.
Specifically, if you tried to visit reddit.com on mobile without the app, Reddit was showing you walls of interstitial screens, essentially forcing you to download the app or deal with friction. This isn’t security theater—it’s naked business logic. We want the app. We want you to use the app. So we’re going to make the web experience bad enough that you have no choice.
The reason I’m bringing this up in a security column is that this is how modern attacks work now. They don’t need to be cryptographic vulnerabilities. They don’t need to be exploits. They just need to be leveraging the power dynamics that already exist in the ecosystem.
Reddit can push users toward the app because Reddit controls the platform. A supply-chain attacker can push malware through Daemon Tools because users have to trust something. Ramp can command a $40 billion valuation because enterprises have to choose someone to manage their spend.
The architecture of the internet—the dependency chains, the winner-take-most dynamics, the concentration of power—IS the vulnerability now.
What I Actually Think Is Happening
Here’s my hot take: we’re in a window where security is getting exponentially better and exponentially worse at the same time.
Better because tools like Mythos are going to make vulnerability detection something that actually works. Because companies that take supply-chain security seriously can now build it into their procurement in real ways. Because the visibility into what’s broken is becoming genuinely comprehensive.
Worse because the attack surface is expanding faster than our ability to defend it. Every new integration is a potential Daemon Tools. Every enterprise tool that becomes ubiquitous is a target. And the incentive structure—compromise something widely-used, extract value, disappear into noise—is too good for it not to keep happening.
The winner won’t be the company with the best firewall. It’ll be the company that can move fast enough to patch before it gets hit, and stays suspicious enough not to trust the supply chain blindly.
That’s not a problem you solve with one tool. That’s a cultural change. And culture is slow.
Photo by Denys Gromov / Pexels
What I’m Watching
Mythos adoption rates through Q2 2025. If major enterprises start using this to baseline their vulnerability posture, we’ll see whether “almost no false positives” actually holds in production. If it does, expect every CISO to demand their tools match it within six months. That’s the inflection point.
How long until the next supply-chain attack. Daemon Tools was discovered. That raises awareness. But there are hundreds of utilities with similar trust profiles sitting in enterprise environments. I’d bet money we see another one within 18 months, targeting something even more obscure and trusted.
Whether Ramp’s $40B valuation holds into 2026. If enterprise software fundamentals start cracking, that number gets tested hard. If it holds or grows, it means capital still believes in network-effect moats in B2B. That shapes what gets funded next in security.
OpenAI’s voice API uptake in security/defense applications. They just launched new voice features. Attackers are going to use this for social engineering at scale. The real test: who locks it down first, and does it matter?