Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened Between late 2024 and early 2025, a worm named SHA1-Hulud infiltrated the npm ecosystem through trojanized packages with hidden preinstall scripts. Snyk identified over 600 compromised n
IncidentWhat Happened On May 22, 2026, at 8:20 p.m. UTC, attackers launched a coordinated supply chain attack across three major package registries. The TrapDoor operation deployed 34 malicious packages spann
IncidentYour fraud detection system just made 847 LLM calls to process a single transaction. The request timed out. Your observability dashboard shows nothing unusual. Welcome to multi-agent system failure in
IncidentOver 700 websites using Ghost CMS were compromised in February and March 2026 due to CVE-2026-26980, a critical SQL injection vulnerability in the platform s Content API. Attackers exploited this flaw
Get weekly security insights and compliance updates delivered to your inbox.
IncidentOverview of the Issue This analysis explores the pitfalls when security teams deploy AI-powered vulnerability scanners without understanding their limitations. OpenHack, an MIT-licensed tool by Hadria
IncidentWhat Happened CVE-2025-55182 enables unauthenticated remote code execution through unsafe deserialization in React Server Components (RSC). Security researcher Lachlan Davidson reported the vulnerabil
IncidentThe Challenge of AI-Accelerated Development Your development team is moving fast with tools like GitHub Copilot or Cursor, shipping features in hours instead of days. However, this speed comes with ri
IncidentWhat Happened Between 2021 and 2024, attackers compromised multiple npm maintainer accounts to inject malicious code into legitimate packages. They gained access through credential stuffing, phishing,
IncidentWhat Happened On December 29, 2025, malware was discovered in the @vietmoney/react-big-calendar npm package (version 0.26.2). This malware, called Shai-Hulud 3.0, targeted software supply chains durin
IncidentWhat Happened In a supply chain attack on Trust Wallet , attackers registered a typosquatted domain mimicking the legitimate Trust Wallet site. This malicious domain was embedded in third-party script
IncidentOn December 16, 2024, attackers compromised the Laravel Lang localization package ecosystem by rewriting GitHub version tags to point at malicious commits in their own forks. The attack affected 233 v
IncidentYour application code passes every security review. Your internal XML parsing follows OWASP ASVS v4.0.3 guidance. But when Apache Tika 2.9.2 shipped with CVE-2025-66516—a CVSS 10.0 Critical XXE vulner
IncidentWhat Happened Eight packages on Packagist , the primary PHP package repository, contained malicious code that downloaded and executed a Linux binary from GitHub. The attack bypassed PHP files by inser
IncidentIntroduction: The Need for Continuous Adversarial Testing ASAPP, an enterprise AI provider, identified a significant gap in their security strategy: traditional pre-deployment testing couldn t keep up
IncidentIncident Overview In the Shai-Hulud incident, attackers published malicious npm packages containing hidden exfiltration scripts. These packages bypassed initial security checks and infiltrated product
IncidentWhat Happened CVE-2026-9082 , a SQL injection vulnerability in Drupal Core with a CVSS score of 6.5, moved from patch release to active exploitation faster than most security teams could deploy fixes.
