Expert perspectives on application security, compliance, and emerging threats
DeadlinesThe EU Cyber Resilience Act (CRA) will be fully enforced by December 2027. This gives your team a 36-month window to overhaul how you handle security requirements for any product sold in the EU market
IncidentThe Crisis Unfolds In Q1 2026, Sonatype identified 21,764 malicious packages in open source repositories, with npm accounting for 75% of these. That s 16,323 malicious packages targeting JavaScript de
IncidentOverview of the Attack An attacker used an AI tool named PRT-scan to systematically scan GitHub repositories for misconfigurations that expose secrets. This attack automated the process of reconnaissa
IncidentThe Emerging Threat Vulnerabilities are being exploited faster than your team can deploy patches. The traditional workflow—discover, prioritize, test, deploy—now lags behind the speed of exploitation.
Get weekly security insights and compliance updates delivered to your inbox.
StandardsNIST enriched nearly 42,000 CVEs in 2025, a 45% increase over previous years. Yet they just announced they re scaling back. Why? CVE submissions jumped 263% between 2020 and 2025, and the old model of
GuidesThe Conventional Wisdom Your compliance team might believe that supply chain security is addressed by generating Software Bills of Materials (SBOMs). Create an SBOM for every release, submit it to the
IncidentWhat Happened In early 2025, security researchers at OX Security disclosed a critical vulnerability in Anthropic s Model Context Protocol (MCP) that allows remote code execution. This flaw affects ove
StandardsI ve been fielding urgent questions about CVE-2026-40478 in Thymeleaf. Many teams using Java Spring apps with Thymeleaf are now facing a 9.1 CVSS vulnerability that allows unauthenticated attackers to
IncidentWhat Happened On December 20, 2024, Vercel discovered unauthorized access to their internal systems through a compromised OAuth token belonging to Context.ai, a third-party AI coding assistant integra
IncidentWhat Happened On April 22, 2025, attackers published a malicious version of the Bitwarden CLI password manager (version 2026.4.0) to the npm registry. The compromised package was available for about 1
IncidentWhat Happened A critical remote code execution vulnerability (CVE-2026-1731) in Bomgar s remote monitoring and management (RMM) platform has exposed organizations to significant risk. This flaw allowe
StandardsWhen Socket alerted on malicious Docker images in the official checkmarx/kics repository—including a new tag v2.1.21—and compromised VS Code extensions (checkmarx/ [email protected] and 1.19.0), se
IncidentWhat Happened The CanisterSprawl malware campaign compromised npm packages to steal sensitive data from developer machines, such as tokens and API keys. It then used these credentials to publish more
StandardsScope - What This Guide Covers This guide addresses the operational gap between discovering vulnerabilities and fixing them in environments where AI-assisted scanning is common. You ll find frameworks
StandardsOn April 23, 2026, Mend.io discovered a compromised package on npm masquerading as @bitwarden/cli version 2026.4.0. This package combined three attack mechanisms: a self-propagating npm worm, a GitHub
IncidentWhat Happened In late 2024, security researchers at StepSecurity and Socket disclosed CanisterSprawl, an npm malware campaign that exploits developer environments to steal credentials and publish mali
