Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened The CanisterSprawl malware campaign compromised npm packages to steal sensitive data from developer machines, such as tokens and API keys. It then used these credentials to publish more
IncidentWhat Happened The NPM package for Axios was briefly compromised this week. Axios is a JavaScript HTTP client library with approximately 9 million weekly downloads, making it one of the most widely use
StandardsScope - What This Guide Covers This guide provides detection, prevention, and response strategies for supply chain attacks targeting package registries. It includes steps for securing your dependency
IncidentWhat Happened On April 21, 2025, attackers published a malicious version of the pgserve package from Namastex Labs. Within days, 16 packages from the same publisher were compromised. The attack used a
Get weekly security insights and compliance updates delivered to your inbox.
StandardsA critical vulnerability with a CVSS score of 9.1 appeared in ASP.NET Core s Data Protection Library—not from a zero-day exploit, but from a Microsoft update. CVE-2026-40372 affects authentication tok
IncidentWhat Happened A critical vulnerability in Microsoft.AspNetCore.DataProtection allowed attackers to escalate privileges to SYSTEM level on affected servers. The flaw, tracked as CVE-2026-40372 with a C
IncidentIncident Overview OpenAI is rotating all of its macOS code-signing certificates and will fully revoke them on May 8, 2026, following a supply chain attack involving a malicious version of the Axios pa
StandardsA remote code execution vulnerability in protobuf.js (GHSA-xq3m-2v4x-88gg) affecting versions 8.0.0/7.5.4 and lower allows attackers to inject malicious code through unsafe dynamic code generation. If
IncidentYour Angular application can inadvertently become a tool for attackers to map your internal infrastructure. CVE-2026-27739 highlights how a single oversight in HTTP header validation can turn server-s
StandardsEvery npm install or pip install you run pulls code from strangers into your production systems. ENISA s Technical Advisory for Secure Use of Package Managers (March 2026) breaks dependency management
StandardsScope This guide focuses on detecting, preventing, and remediating malicious packages in PHP Composer dependency chains, specifically targeting threats from Packagist . It covers reconnaissance method
StandardsStarting September 2026, Chrome will move to a two-week release cycle with version 153. If you re managing web applications in production, you need a clear decision framework for how your team respond
GeneralScope This guide addresses the challenge of configuring AI model behavior in production systems to balance safety controls with usable responses. You ll find practical frameworks for evaluating conver
StandardsTeams often find themselves generating Software Bill of Materials (SBOMs) without knowing how to use them effectively. They might have set up SBOM tooling in their CI/CD pipeline, generating thousands
StandardsThe Challenge A platform engineering team managing a 15-year-old C++ codebase faced a directive from their CISO: reduce memory-safety vulnerabilities by Q3 or plan a multi-year rewrite. The system pro
StandardsScope This guide outlines the technical controls and verification steps your team needs when using packages from NuGet , npm , and similar public repositories. It includes detection methods, repositor
