Expert perspectives on application security, compliance, and emerging threats
IncidentIncident Overview On April 29, 2026, between 09:55 UTC and 12:14 UTC, attackers released compromised versions of several npm packages linked to SAP s JavaScript and cloud application development ecosy
IncidentWhat Happened On April 24, 2025, attackers published version 0.23.3 of the Python package elementary-data to PyPI. This malicious release contained code designed to exfiltrate cloud credentials from a
IncidentWhat Happened Attackers distributed self-propagating malware through VS Code extensions published to the Open VSX repository. These extensions appeared legitimate but contained code designed to spread
IncidentWhat Happened On April 24, security researchers disclosed CVE-2026-42208 , a critical SQL injection vulnerability in LiteLLM, an open-source gateway for managing LLM API calls. This flaw allowed attac
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened Marquis, a fintech company serving financial institutions, suffered a ransomware attack that exposed personal information for at least 672,075 individuals. The attackers bypassed direct
IncidentWhat Happened In late 2024, security researchers at Wiz discovered CVE-2026-3854, a remote code execution vulnerability in GitHub s infrastructure. This flaw allowed attackers to execute arbitrary cod
IncidentOverview of the Vulnerability A critical vulnerability in Cursor IDE allowed attackers to execute arbitrary code through Git operations performed by the IDE s AI agent. This flaw, tracked as CVE-2026-
IncidentA critical vulnerability in Hugging Face s LeRobot platform highlights the overlooked risks of using unsafe serialization formats in open-source projects. CVE-2026-25874, scoring 9.3 on CVSS, allows u
IncidentWhat Happened Between late 2024 and early 2025, attackers planted 73 malicious extensions in the OpenVSX registry—an open-source alternative to the Visual Studio Code Marketplace. These extensions app
IncidentWhat Happened Microsoft s Entra ID (formerly Azure AD) had a role misconfiguration that allowed the Agent ID Administrator role to escalate privileges beyond its intended scope. Designed to manage aut
IncidentOn March 23, 2026, Checkmarx—a company specializing in application security testing tools—experienced a supply chain attack on their GitHub repository. Data from this repository later surfaced on the
IncidentIncident Overview On February 27, 2026, researchers disclosed two authentication bypass vulnerabilities in Qinglong, an open-source task scheduler with over 19,000 GitHub stars. CVE-2026-3965 and CVE-
IncidentWhat Happened A critical remote code execution vulnerability in Langflow—an open-source tool for building AI pipelines—was exploited in the wild within 20 hours of public disclosure. The vulnerability
IncidentWhat Happened OpenAI recently patched two vulnerabilities in its AI products that could have enabled unauthorized data movement. The first, discovered by BeyondTrust researchers, affected Codex: a com
IncidentWhat Happened Attackers compromised the Aqua Security repository hosting Trivy , a widely used vulnerability scanner, poisoning 75 of 76 version tags. This turned a tool meant to find vulnerabilities
IncidentWhat Happened Security researcher Chaofan Shou recently discovered that Anthropic accidentally exposed the complete source code for Claude Code—their AI coding agent—through a public npm package. The
