Case study: Securing AI application supply chains

Microsoft Defender Security Research describes CVE-2025-68664 (LangGrinch), a critical (CVSS 9.3) serialization injection in the langchain-core Python package where improper handling of a reserved "lc" key during serialization/deserialization can allow attackers to extract environment secrets, instantiate arbitrary classes, and trigger malicious side effects; the advisory provides the root cause analysis, patched versions (0.3.81+ for 0.3.x and 1.2.5+ for 1.x), detection guidance (Defender CSPM, updated scanners, and a KQL hunting query), and remediation recommendations across code, build, and runtime stages.