Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened A security researcher demonstrated that npm s default configuration allows malicious packages to exfiltrate macOS keyboard shortcuts through Node.js scripts executed during package insta
IncidentWhat Happened CVE-2024-22195 exposed a cross-site scripting vulnerability in Jinja2, the Python templating library with over 33 million weekly downloads. The flaw existed in all versions prior to 3.1.
IncidentWhat Happened A Chinese company named Funnull acquired the polyfill.io domain and CDN service in February 2024. Soon after, the new owners injected malicious code into the JavaScript files served from
IncidentWhat Happened FastAPI applications using the python-multipart package were exposed to regular expression denial of service (ReDoS) attacks through CVE-2024-24762. This vulnerability arose from an inse
Get weekly security insights and compliance updates delivered to your inbox.
IncidentYour CI/CD pipeline just pulled a malicious package. The commit shows an AI coding agent added it. The security alert lands on your desk. Who do you hold accountable? AI coding agents are autonomously
IncidentWhat Happened Recently, attackers compromised the npm package @lottiefiles/lottie-player , injecting malicious code to steal cryptocurrency wallet credentials. They released three tainted versions—2.0
IncidentWhat Happened A typo-squatting attack on the BoltDB Go module was active from November 2021 until January 30, 2025. The malicious package—version 1.3.1 of a forked repository—contained a backdoor that
IncidentThe Challenge of Open Source Security IBM and Red Hat have launched Project Lightwell, a $5 billion initiative involving 20,000 engineers to create a security clearinghouse for open source software. T
IncidentWhat Happened A critical remote code execution vulnerability in Gogs , a self-hosted Git service, remains unpatched more than two months after Rapid7 reported it to the project maintainer. The vulnera
IncidentWhat Happened A critical authorization bypass vulnerability in Next.js middleware allowed attackers to circumvent authentication checks by manipulating HTTP headers. CVE-2025-29927, with a severity sc
IncidentWhat Happened Sonatype Nexus Repository versions using OrientDB faced CVE-2026-3199 , an authenticated remote code execution vulnerability with a CVSS score of 9.4. An attacker with valid credentials
IncidentWhat Happened On March 17, 2026, Rapid7 researcher Jonah Burgess disclosed a critical remote code execution vulnerability in Gogs , a self-hosted Git service used by development teams. The flaw, rated
IncidentWhat Happened On May 26 at 14:00 UTC, CrowdStrike coordinated the takedown of GlassWorm, a malware operation distributing malicious packages through public repositories. The operation initially seemed
IncidentWhat Happened Sonatype researchers discovered 176 malicious npm packages exploiting dependency confusion to compromise developer environments and CI/CD systems. Attackers published packages with names
IncidentSummary of Findings Cisco researchers tested AI models from OpenAI, Google, Amazon, and Anthropic against two attack patterns: single-prompt jailbreaks and multi-turn conversation attacks. The testing
IncidentWhat Happened Token Security researchers exploited a free Zapier account to gain write access to critical SDK packages on NPM. The attack didn t require zero-day vulnerabilities—just five known anti-p
