Expert perspectives on application security, compliance, and emerging threats
IncidentSummary of the Incident A critical remote code execution vulnerability in Apache ActiveMQ was discovered using AI-assisted analysis in about 10 minutes. This vulnerability affects versions before 5.19
IncidentWhat Happened On April 22, 2026, attackers published a compromised version of the Bitwarden command-line interface (version @bitwarden/ [email protected] ) to npm. The malicious code, embedded in a file na
IncidentOn April 22, 2025, developers who updated the Bitwarden CLI to version 2026.4.0 installed malware designed to exfiltrate their most sensitive credentials. The window was narrow—just over 90 minutes—bu
IncidentWhat Happened On April 22, 2026, attackers replaced legitimate Docker images of Checkmarx s KICS (Keeping Infrastructure as Code Secure) tool with malicious versions. KICS is an open-source scanner th
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened A critical remote code execution vulnerability in Flowise AI—an open-source platform for building AI agents—is being actively exploited. CVE-2025-59528 carries a CVSS score of 10.0, the
StandardsYour open-source project just received an email from someone claiming to be a core maintainer, asking for elevated repository access. The writing style matches, and the email domain looks legitimate,
IncidentWhat Happened Between late January and early February 2025, security researchers at VulnCheck detected active exploitation of CVE-2025-59528 , a JavaScript injection vulnerability in Flowise, a low-co
IncidentThe Problem Your security team, using CrowdStrike , encountered a daunting challenge: 500,000 vulnerability findings flagged by the scanner. Each finding had a CVSS score demanding attention. Patching
LegalArticle 5 of the EU AI Act went into enforcement in February 2025, and compliance teams are scrambling. The issue isn t that the prohibitions are unclear—the European Commission published detailed gui
StandardsScope - What This Guide Covers This guide defines security responsibilities for teams deploying AI systems from third-party vendors. It addresses: Which security controls belong to your team vs. the v
StandardsYou ve seen the reports. NIST has changed the way it prioritizes software flaws in its CVE framework. The shift is clear: focus on high-impact vulnerabilities, not just volume. This isn t about abando
StandardsOver the past month, I ve encountered the same set of questions in multiple forums, all centering on Anthropic s Claude Mythos—an AI model that claims to find and weaponize vulnerabilities at an unpre
IncidentTwo recently fixed prompt injection vulnerabilities in Salesforce Agentforce and Microsoft Copilot could have allowed external attackers to leak sensitive data from enterprise systems. Here s what hap
GeneralScope This guide addresses the operational and security risks when your team s publishing accounts—such as Microsoft Partner Center, Apple Developer, and Google Play Console—face suspension or access
IncidentWhat Happened On March 30, 2026, attackers compromised the Axios NPM package by taking over a maintainer s account. Axios, a widely used HTTP client library in JavaScript, was injected with malicious
IncidentWhat Happened Adversa discovered a vulnerability in Claude Code that allows attackers to bypass security controls by submitting more than 50 subcommands in a single request. When the system encounters
