Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened On May 11, 2026, Grafana Labs detected unauthorized access to multiple GitHub repositories containing source code and internal information. The entry point was a compromised TanStack npm
IncidentThe Problem: Undetected Malicious Packages Your dependency scanner missed it. Your code review didn t catch it. A malicious package slipped through your CI/CD pipeline and into production because you
IncidentOn May 20, 2025, between 17:00 and 21:00 UTC, Drupal administrators worldwide scrambled to apply emergency security patches. The Drupal Security Team had issued a rare advance warning: a critical vuln
IncidentWhat Happened Version 18.95.0 of the Nx Console extension for Visual Studio Code was published with malicious code designed to steal developer credentials. This compromised version contained a 498 KB
Get weekly security insights and compliance updates delivered to your inbox.
IncidentOn an ordinary Tuesday, a maintainer account for the @antv ecosystem—a collection of popular data visualization libraries—began publishing trojanized versions of packages your team might already be us
IncidentAttack Overview On May 19, an attacker compromised a maintainer account for AntV, a widely-used data visualization library, and published 637 malicious versions across 317 npm packages in just 22 minu
IncidentOverview of the Vulnerability On February 17, 2025, security researchers at HiddenLayer disclosed CVE-2026-45829 , a critical vulnerability in ChromaDB s Python FastAPI implementation. This flaw allow
IncidentWhat Happened Attackers compromised the GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to point to malicious commits. These imposter commits con
IncidentWhat Happened On May 19, 2026, an attacker compromised an AntV maintainer account and published over 300 malicious package versions across 323 packages in a 22-minute automated burst. The threat actor
IncidentOn January 15, 2025, attackers compromised maintainer accounts in the Ant Design (AntV) ecosystem and published malicious versions of multiple npm packages. The campaign, tracked as sonatype-2026-0032
IncidentOn May 20, 2026, between 5-9 p.m. UTC, the Drupal Security Team will release core security patches for branches 11.3.x, 11.2.x, 10.6.x, and 10.5.x. The advance notice is unusual. The prepare now langu
IncidentRecently, an attacker published 639 malicious versions across 323 unique npm packages in just 60 minutes. This campaign, known as Shai-Hulud, primarily targeted the @antv data visualization ecosystem.
IncidentWhat Happened Researchers discovered multiple vulnerabilities in OpenClaw , an AI agent framework, that allowed attackers to steal credentials, escalate privileges, and maintain persistence within aff
IncidentBetween late 2024 and early 2025, four malicious npm packages delivered the Shai-Hulud infostealer to developer machines. These packages—typosquats of legitimate tools—were downloaded 2,678 times befo
IncidentBetween late 2024 and early 2025, four malicious packages appeared on the npm registry and accumulated 3,006 downloads before removal. One package, chalk-tempalte (note the misspelling), contained a d
IncidentWhat Happened CVE-2026-42897 , a cross-site scripting (XSS) vulnerability in Microsoft Exchange s Outlook Web Access (OWA), is being actively exploited with no patch available. Attackers can compromis
