Expert perspectives on application security, compliance, and emerging threats
IncidentYour AI browser agent just accessed your local file system, read your credentials, and sent them to an attacker. You didn t click anything. You didn t approve any action. The agent did it autonomously
IncidentWhat Happened Between late 2024 and early 2025, attackers compromised the Trivy vulnerability scanner s supply chain by stealing npm publish tokens. They backdoored more than 29 packages that Trivy de
IncidentWhat Happened Security researchers at Sansec discovered a critical vulnerability in Magento s REST API, designated PolyShell, that allows attackers to upload malicious files to e-commerce sites withou
IncidentWhat Happened Between March 9 and March 11, 2025, attackers compromised the AppsFlyer Web SDK, injecting malicious JavaScript to steal cryptocurrency. The code targeted cryptocurrency wallet addresses
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened On March 19, 2026, attackers compromised Aqua Security s Trivy vulnerability scanner through GitHub Actions. Trivy, with over 32,000 stars on GitHub, is a critical dependency in thousand
IncidentYour Angular application can inadvertently become a tool for attackers to map your internal infrastructure. CVE-2026-27739 highlights how a single oversight in HTTP header validation can turn server-s
IncidentWhat Happened A Series B fintech company integrated an AI-powered vulnerability scanner into their CI/CD pipeline to reduce false positives from their previous SAST tool. The AI scanner was part of a
IncidentWhat Happened On January 15, 2025, researchers disclosed CVE-2026-29000 , a critical authentication bypass vulnerability in pac4j-jwt, a widely-used Java authentication library. The flaw affects the J
IncidentWhat Happened Your organization deployed an AI agent with broad permissions to handle customer support inquiries. This agent was set up to autonomously draft and send email responses, access customer
IncidentA single HTTP header with an underscore instead of a hyphen bypassed authentication for an entire OAuth2-proxy deployment. No brute force. No stolen credentials. Just X_Forwarded_User instead of X-For
IncidentWhat Happened A recent campaign by the North Korean threat actor group Famous Chollima involved the publication of 26 malicious packages to the npm registry. These packages deployed a cross-platform r
IncidentThe Surge in API Attacks In the first half of 2025, small and medium-sized businesses (SMBs) faced over 1.45 billion attacks, with API-targeted exploits increasing 74 times compared to previous period
IncidentUnderstanding the Gap in AI Pentesting CyberMaddy, a security researcher, evaluated Burp AI s vulnerability detection capabilities using test web applications. The tool identified common vulnerabiliti
IncidentWhat Happened OX Security discovered CVE-2026-28289 , a zero-click remote code execution vulnerability in FreeScout, an open-source helpdesk platform. This flaw allowed attackers to execute arbitrary
IncidentWhat Happened Threat actors exploited CVE-2026-21385 , a high-severity memory corruption vulnerability in Qualcomm chipsets, in targeted attacks against Android devices. Security researchers identifie
IncidentWhat Happened Between February and late 2025, threat actors deployed Coruna—an iOS exploit kit containing five complete exploit chains and 23 individual exploits—against targets ranging from iPhone mo
