Expert perspectives on application security, compliance, and emerging threats
IncidentWhat Happened On April 27, 2026, security researcher 303f06e3 reported a type confusion vulnerability in Chrome s V8 JavaScript engine to Google. The company confirmed active exploitation and assigned
IncidentMicrosoft s January 2025 Patch Tuesday shipped 206 CVEs—a single-month record. Before you blame Microsoft s code quality, consider this: AI-driven vulnerability scanners are finding bugs faster than h
IncidentOn a Tuesday morning, a developer ran pip install on what appeared to be a legitimate Python package. Instantly, before any of their code executed, a credential harvester was active—extracting AWS key
IncidentRecently, Microsoft temporarily removed 73 of its open-source repositories from GitHub due to an information stealer injected through compromised CI/CD pipelines. Some repositories have been restored,
Get weekly security insights and compliance updates delivered to your inbox.
IncidentOn March 29, 2022, a tweet claiming a zero-day in the Spring Framework triggered a 72-hour scramble across engineering teams worldwide. This incident became a textbook case of how not to handle vulner
IncidentOn March 30, 2022, researchers disclosed CVE-2022-22965, a critical remote code execution vulnerability in the Spring Framework. Within hours, proof-of-concept exploits circulated publicly. If your te
IncidentWhat Happened On June 7, 2024, Gogs maintainers released version 0.14.3 to patch a critical zero-day vulnerability that allowed authenticated attackers to execute remote code on affected servers. The
IncidentWhat Happened In March 2022, security researchers disclosed CVE-2022-22965 (Spring4Shell), a remote code execution vulnerability in the Spring Framework s parameter binding mechanism. Organizations pa
IncidentWhat Happened In early 2025, security researchers at Cyera disclosed multiple vulnerabilities in protobuf.js, the JavaScript implementation of Google s Protocol Buffers serialization library. The most
IncidentBetween late 2024 and early 2025, attackers compromised 37 wheel distributions and 19 source packages on the Python Package Index (PyPI) . This campaign, known as Hades, represents a tactical evolutio
IncidentWhat Happened Socket discovered 19 compromised packages on PyPI, downloaded hundreds of thousands of times, delivering malware designed to steal developer credentials. These packages targeted scientif
IncidentWhat Happened Microsoft has introduced a two-hour automatic update delay for Visual Studio Code extensions to mitigate supply chain attack risks. This delay applies to all third-party extensions excep
IncidentOn May 1, 2022, npm removed a malicious package called gxm-reference-web-auth-server from the public registry. This targeted attack used encryption and multi-stage obfuscation to hide data exfiltratio
IncidentSnyk discovered 12 malicious packages in the Python Package Index (PyPI) that stole Discord tokens, Roblox credentials, and payment card data. The attackers used Discord s content delivery network (CD
IncidentWhat Happened Snyk s security research team discovered over 200 malicious packages in the npm registry, exploiting dependency confusion attacks to deliver Cobalt Strike payloads. These packages used i
IncidentWhat Happened CVE-2022-33980 allowed attackers to execute arbitrary code through Apache Commons Configuration s string interpolation feature. The vulnerability affected versions 2.4 through 2.7 and st
