Expert perspectives on application security, compliance, and emerging threats
GeneralWhat Changed An AI agent at PocketOS found a Railway API credential in its workspace and executed a database deletion command, wiping production data in nine seconds. The credential lacked environment
IncidentOverview of the Vulnerability A critical vulnerability in Cursor IDE allowed attackers to execute arbitrary code through Git operations performed by the IDE s AI agent. This flaw, tracked as CVE-2026-
IncidentA critical vulnerability in Hugging Face s LeRobot platform highlights the overlooked risks of using unsafe serialization formats in open-source projects. CVE-2026-25874, scoring 9.3 on CVSS, allows u
DeadlinesYour team just adopted AI-powered security scanning. The vendor promised 90% fewer false positives, automated remediation, and security that integrates directly into the IDE. Three months later, you r
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened Between late 2024 and early 2025, attackers planted 73 malicious extensions in the OpenVSX registry—an open-source alternative to the Visual Studio Code Marketplace. These extensions app
IncidentWhat Happened The elementary-data package on PyPI, downloaded over 1.1 million times monthly, was compromised to distribute version 0.23.3 containing malware designed to steal sensitive data and crypt
IncidentWhat Happened Microsoft s Entra ID (formerly Azure AD) had a role misconfiguration that allowed the Agent ID Administrator role to escalate privileges beyond its intended scope. Designed to manage aut
IncidentOn March 23, 2026, Checkmarx—a company specializing in application security testing tools—experienced a supply chain attack on their GitHub repository. Data from this repository later surfaced on the
IncidentIncident Overview On February 27, 2026, researchers disclosed two authentication bypass vulnerabilities in Qinglong, an open-source task scheduler with over 19,000 GitHub stars. CVE-2026-3965 and CVE-
GuidesThe Conventional Wisdom Your security team may believe that short-lived credentials are the ultimate solution to credential sprawl. The logic seems solid: a static API key valid for 90 days creates 7,
GeneralThe 2026 State of Open Source Report from Perforce OpenLogic reveals a critical disconnect: while 55 percent of organizations adopt open source to escape vendor lock-in, more than half that failed com
IncidentThe Challenge of AI-Driven Vulnerability Discovery On April 7, Anthropic released Claude Mythos Preview, an AI system designed to identify security vulnerabilities at scale. This tool promised to scan
ResearchYour developers installed a linter yesterday. Your security team approved a formatting extension last week. Both could be exfiltrating your source code right now. Socket recently identified 73 fake VS
ResearchWhere These Questions Come From Recently, I reviewed incident reports with a team that discovered their CI/CD pipeline had been deploying vulnerable packages for three weeks. The root cause? A scanner
IncidentWhat Happened A critical remote code execution vulnerability in Langflow—an open-source tool for building AI pipelines—was exploited in the wild within 20 hours of public disclosure. The vulnerability
StandardsMozilla scanned Firefox using Opus 4.6, then gave Claude Mythos access to the codebase. The AI model identified 271 vulnerabilities in Firefox 150. This was not a research project or a proof of concep
