Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened Between March 9 and March 11, 2025, attackers compromised the AppsFlyer Web SDK, injecting malicious JavaScript to steal cryptocurrency. The code targeted cryptocurrency wallet addresses
StandardsEndor Labs researchers have identified 88 new malicious npm packages in the latest PhantomRaven campaign—81 of which are still available for download. These packages are actively stealing credentials
StandardsOn March 20, 2026, Aikido Security detected CanisterWorm spreading across the npm ecosystem. Within hours, it had compromised more than 50 packages across multiple scopes. The attack used the Internet
StandardsScope This guide covers detection and mitigation strategies for supply chain attacks using decentralized infrastructure for command-and-control operations. You ll learn to identify compromised package
Get weekly security insights and compliance updates delivered to your inbox.
GeneralYour security team might think of AI agents like web applications, but this assumption creates a new attack surface. When CNCERT warned about OpenClaw s vulnerabilities—specifically its inherently wea
ResearchYour SAST tools flag 2,000 issues per sprint. Your security team triages maybe 50. The rest pile up in Jira until someone archives them during spring cleaning. OpenAI s Codex Security identified 792 c
IncidentWhat Happened A Series B fintech company integrated an AI-powered vulnerability scanner into their CI/CD pipeline to reduce false positives from their previous SAST tool. The AI scanner was part of a
IncidentWhat Happened On January 15, 2025, researchers disclosed CVE-2026-29000 , a critical authentication bypass vulnerability in pac4j-jwt, a widely-used Java authentication library. The flaw affects the J
IncidentWhat Happened Your organization deployed an AI agent with broad permissions to handle customer support inquiries. This agent was set up to autonomously draft and send email responses, access customer
IncidentA single HTTP header with an underscore instead of a hyphen bypassed authentication for an entire OAuth2-proxy deployment. No brute force. No stolen credentials. Just X_Forwarded_User instead of X-For
IncidentUnderstanding the Gap in AI Pentesting CyberMaddy, a security researcher, evaluated Burp AI s vulnerability detection capabilities using test web applications. The tool identified common vulnerabiliti
IncidentWhat Happened OX Security discovered CVE-2026-28289 , a zero-click remote code execution vulnerability in FreeScout, an open-source helpdesk platform. This flaw allowed attackers to execute arbitrary
IncidentWhat Happened Threat actors exploited CVE-2026-21385 , a high-severity memory corruption vulnerability in Qualcomm chipsets, in targeted attacks against Android devices. Security researchers identifie
GeneralScope This guide addresses the cybersecurity risks inherent in Tire Pressure Monitoring Systems (TPMS) and similar automotive IoT components. You ll find guidance for security teams evaluating connect
IncidentWhat Happened Between February and late 2025, threat actors deployed Coruna—an iOS exploit kit containing five complete exploit chains and 23 individual exploits—against targets ranging from iPhone mo
IncidentOverview of the Vulnerability Security researchers at OX Security disclosed CVE-2026-28289 , a critical vulnerability in FreeScout, an open-source, self-hosted help desk platform. This flaw allows una
