Expert perspectives on application security, compliance, and emerging threats
GuidesThe Conventional Wisdom Your security team may believe that short-lived credentials are the ultimate solution to credential sprawl. The logic seems solid: a static API key valid for 90 days creates 7,
ResearchYour developers installed a linter yesterday. Your security team approved a formatting extension last week. Both could be exfiltrating your source code right now. Socket recently identified 73 fake VS
ResearchWhere These Questions Come From Recently, I reviewed incident reports with a team that discovered their CI/CD pipeline had been deploying vulnerable packages for three weeks. The root cause? A scanner
IncidentWhat Happened A critical remote code execution vulnerability in Langflow—an open-source tool for building AI pipelines—was exploited in the wild within 20 hours of public disclosure. The vulnerability
Get weekly security insights and compliance updates delivered to your inbox.
StandardsMozilla scanned Firefox using Opus 4.6, then gave Claude Mythos access to the codebase. The AI model identified 271 vulnerabilities in Firefox 150. This was not a research project or a proof of concep
StandardsWhen you discover unauthorized access to your GitHub organization, the first 60 minutes determine whether you contain the breach or watch it spread to every downstream dependency. This runbook provide
IncidentWhat Happened OpenAI recently patched two vulnerabilities in its AI products that could have enabled unauthorized data movement. The first, discovered by BeyondTrust researchers, affected Codex: a com
ResearchYour security team closed 87% of critical vulnerabilities last quarter. That sounds impressive until you realize the definition of critical just changed — and the volume tripled. OX Security s analysi
IncidentWhat Happened Attackers compromised the Aqua Security repository hosting Trivy , a widely used vulnerability scanner, poisoning 75 of 76 version tags. This turned a tool meant to find vulnerabilities
StandardsThe compromise of the Axios npm package through social engineering highlights a critical vulnerability in the software supply chain: the security of your dependencies is only as strong as the people w
IncidentWhat Happened Security researcher Chaofan Shou recently discovered that Anthropic accidentally exposed the complete source code for Claude Code—their AI coding agent—through a public npm package. The
IncidentWhat Happened Since January 2025, threat actor UNC1069—linked to North Korean groups BlueNoroff, Sapphire Sleet, and Stardust Chollima—deployed over 1,700 malicious packages across npm, PyPI, Go, and
StandardsOn April 22, 2026, malicious versions of xinference appeared on PyPI, targeting AI inference servers with credential theft payloads that leave no persistent traces. This attack marks a tactical shift:
GuidesContext: Questions from teams deploying AI agents Security channels have been inundated with questions after OX Security disclosed vulnerabilities in the Model Context Protocol (MCP). Over 30 remote c
IncidentThe Crisis Unfolds In Q1 2026, Sonatype identified 21,764 malicious packages in open source repositories, with npm accounting for 75% of these. That s 16,323 malicious packages targeting JavaScript de
IncidentOverview of the Attack An attacker used an AI tool named PRT-scan to systematically scan GitHub repositories for misconfigurations that expose secrets. This attack automated the process of reconnaissa
