Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened Between late 2024 and early 2025, attackers exploited the React2Shell vulnerability in Next.js applications to execute an automated credential theft campaign. Using a framework called NE
IncidentWhat Happened Adversa discovered a vulnerability in Claude Code that allows attackers to bypass security controls by submitting more than 50 subcommands in a single request. When the system encounters
StandardsA compromised maintainer account on npm deployed a cross-platform Remote Access Trojan (RAT) through malicious versions of Axios, a widely used JavaScript HTTP client library. If your systems ran npm
StandardsYour team committed 29 million new hardcoded secrets to public repositories in 2025—a 34% increase from the previous year. AI services contributed to 81% more leaks year over year, and internal reposi
Get weekly security insights and compliance updates delivered to your inbox.
StandardsThe Telnyx SDK compromise on PyPI presents your security team with a critical decision: do you restrict package installation at the perimeter, or do you allow flexibility and invest in runtime detecti
IncidentOn March 19, 2026, TeamPCP compromised Aqua Security s Trivy vulnerability scanner—a tool millions of developers rely on to find security flaws. The attackers didn t exploit a zero-day in the scanner
IncidentWhat Happened Mass exploitation of the PolyShell vulnerability in Magento Open Source and Adobe Commerce began on March 19th. Within days, attackers compromised 56.7% of all vulnerable stores. The att
IncidentWhat Happened The npm package Cline version 2.3.0 was compromised with malicious code that installed OpenClaw, a backdoor tool, on developer machines. This version was downloaded over 4,000 times befo
StandardsA recent campaign distributing over 300 poisoned packages shows how attackers now use AI to scale supply chain attacks. Your dependency scanning probably caught the known signatures, but it won t catc
IncidentWhat Happened CVE-2026-29000, a critical authentication bypass vulnerability in the pac4j-jwt library, allows attackers to bypass authentication controls in Java applications. The flaw was identified
IncidentYour AI browser agent just accessed your local file system, read your credentials, and sent them to an attacker. You didn t click anything. You didn t approve any action. The agent did it autonomously
IncidentWhat Happened Between late 2024 and early 2025, attackers compromised the Trivy vulnerability scanner s supply chain by stealing npm publish tokens. They backdoored more than 29 packages that Trivy de
IncidentWhat Happened Security researchers at Sansec discovered a critical vulnerability in Magento s REST API, designated PolyShell, that allows attackers to upload malicious files to e-commerce sites withou
StandardsThe Pentagon s 180-day deadline to remove Anthropic technology exposes a fundamental gap: most organizations cannot precisely answer, where do we use AI? Only 31% of organizations report being fully e
StandardsThese questions started showing up in security Slack channels right after StepSecurity flagged two hijacked npm packages in the React Native ecosystem. These packages, with over 30,000 downloads per w
ResearchYour build pulls in 847 dependencies. One of them just downloaded your AWS credentials. Researchers have identified dozens of malicious GlassWorm extensions in the wild, each iteration more sophistica
