Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened A server-side template injection vulnerability in Thymeleaf (CVE-2026-40478) has been identified with a CVSS score of 9.1, indicating critical severity with potential for remote code exe
IncidentWhat Happened Between late February and early March 2026, attackers compromised three critical components of the AI development stack: Bitwarden CLI (a secrets management tool), Lovable (an AI code ge
IncidentIncident Overview On April 29, 2026, between 09:55 UTC and 12:14 UTC, attackers released compromised versions of several npm packages linked to SAP s JavaScript and cloud application development ecosy
GeneralScope This guide examines the operational and compliance implications of relying on public package registries like Maven Central, PyPI, npm, and RubyGems in your software delivery pipeline. If your te
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened On April 24, 2025, attackers published version 0.23.3 of the Python package elementary-data to PyPI. This malicious release contained code designed to exfiltrate cloud credentials from a
IncidentWhat Happened Attackers distributed self-propagating malware through VS Code extensions published to the Open VSX repository. These extensions appeared legitimate but contained code designed to spread
IncidentWhat Happened On April 24, security researchers disclosed CVE-2026-42208 , a critical SQL injection vulnerability in LiteLLM, an open-source gateway for managing LLM API calls. This flaw allowed attac
IncidentWhat Happened Marquis, a fintech company serving financial institutions, suffered a ransomware attack that exposed personal information for at least 672,075 individuals. The attackers bypassed direct
IncidentWhat Happened In late 2024, security researchers at Wiz discovered CVE-2026-3854, a remote code execution vulnerability in GitHub s infrastructure. This flaw allowed attackers to execute arbitrary cod
GeneralWhat Changed An AI agent at PocketOS found a Railway API credential in its workspace and executed a database deletion command, wiping production data in nine seconds. The credential lacked environment
IncidentOverview of the Vulnerability A critical vulnerability in Cursor IDE allowed attackers to execute arbitrary code through Git operations performed by the IDE s AI agent. This flaw, tracked as CVE-2026-
IncidentA critical vulnerability in Hugging Face s LeRobot platform highlights the overlooked risks of using unsafe serialization formats in open-source projects. CVE-2026-25874, scoring 9.3 on CVSS, allows u
IncidentWhat Happened Between late 2024 and early 2025, attackers planted 73 malicious extensions in the OpenVSX registry—an open-source alternative to the Visual Studio Code Marketplace. These extensions app
IncidentWhat Happened Microsoft s Entra ID (formerly Azure AD) had a role misconfiguration that allowed the Agent ID Administrator role to escalate privileges beyond its intended scope. Designed to manage aut
IncidentOn March 23, 2026, Checkmarx—a company specializing in application security testing tools—experienced a supply chain attack on their GitHub repository. Data from this repository later surfaced on the
IncidentIncident Overview On February 27, 2026, researchers disclosed two authentication bypass vulnerabilities in Qinglong, an open-source task scheduler with over 19,000 GitHub stars. CVE-2026-3965 and CVE-
