Expert perspectives on application security, compliance, and emerging threats
IncidentRecently, Microsoft temporarily removed 73 of its open-source repositories from GitHub due to an information stealer injected through compromised CI/CD pipelines. Some repositories have been restored,
IncidentOn March 29, 2022, a tweet claiming a zero-day in the Spring Framework triggered a 72-hour scramble across engineering teams worldwide. This incident became a textbook case of how not to handle vulner
IncidentOn March 30, 2022, researchers disclosed CVE-2022-22965, a critical remote code execution vulnerability in the Spring Framework. Within hours, proof-of-concept exploits circulated publicly. If your te
IncidentWhat Happened On June 7, 2024, Gogs maintainers released version 0.14.3 to patch a critical zero-day vulnerability that allowed authenticated attackers to execute remote code on affected servers. The
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened In March 2022, security researchers disclosed CVE-2022-22965 (Spring4Shell), a remote code execution vulnerability in the Spring Framework s parameter binding mechanism. Organizations pa
IncidentWhat Happened In early 2025, security researchers at Cyera disclosed multiple vulnerabilities in protobuf.js, the JavaScript implementation of Google s Protocol Buffers serialization library. The most
IncidentBetween late 2024 and early 2025, attackers compromised 37 wheel distributions and 19 source packages on the Python Package Index (PyPI) . This campaign, known as Hades, represents a tactical evolutio
GeneralWhen OpenAI announced Lockdown Mode, many compliance teams felt relieved. Finally, a vendor-provided control to prevent sensitive data leaks through AI interactions. However, this relief is premature.
IncidentWhat Happened Socket discovered 19 compromised packages on PyPI, downloaded hundreds of thousands of times, delivering malware designed to steal developer credentials. These packages targeted scientif
IncidentWhat Happened Microsoft has introduced a two-hour automatic update delay for Visual Studio Code extensions to mitigate supply chain attack risks. This delay applies to all third-party extensions excep
ResearchOnly 11% of AI agents deployed in production meet high security standards. This statistic should alarm you, but what s more concerning is why the other 89% fail — and how similar the mistakes are acro
GeneralSecurity teams often treat browser security as a simple task—install an extension, block a few domains, and consider it done. However, your true attack surface lies in the thousands of active browser
GeneralScope - What This Guide Covers This guide addresses the risks of end-of-life (EOL) open source dependencies in commercial applications. You ll learn how to identify EOL components, assess compliance i
GeneralThe Conventional Wisdom Speed wins. Deploy faster, iterate quicker, ship more features. The data seems clear: project deployment rates jumped from 357 per month in 2021 to 988 per month in 2025. AI ad
IncidentOn May 1, 2022, npm removed a malicious package called gxm-reference-web-auth-server from the public registry. This targeted attack used encryption and multi-stage obfuscation to hide data exfiltratio
IncidentSnyk discovered 12 malicious packages in the Python Package Index (PyPI) that stole Discord tokens, Roblox credentials, and payment card data. The attackers used Discord s content delivery network (CD
