Microsoft has patched two zero-day vulnerabilities in Windows Defender that were exploited in active attacks. Simultaneously, a supply chain attack involving a poisoned VS Code extension has targeted developers at major AI firms, highlighting risks in common software tools.