Expert perspectives on application security, compliance, and emerging threats
StandardsYou ve seen the reports. NIST has changed the way it prioritizes software flaws in its CVE framework. The shift is clear: focus on high-impact vulnerabilities, not just volume. This isn t about abando
StandardsThe Challenge Between 2020 and 2023, CVE submissions grew 263%. Last year alone, NIST enriched almost 42,000 CVEs—a 45% year-over-year increase. Then NIST announced it would no longer analyze every vu
StandardsOver the past month, I ve encountered the same set of questions in multiple forums, all centering on Anthropic s Claude Mythos—an AI model that claims to find and weaponize vulnerabilities at an unpre
StandardsA remote code execution vulnerability in protobuf.js (GHSA-xq3m-2v4x-88gg) affecting versions 8.0.0/7.5.4 and lower allows attackers to inject malicious code through unsafe dynamic code generation. If
Get weekly security insights and compliance updates delivered to your inbox.
IncidentWhat Happened Between October 2025 and January 2026, GreyNoise captured 91,403 distinct attack sessions targeting publicly exposed LLM inference endpoints. The primary target was Ollama instances depl
IncidentOverview of the Vulnerability On March 30, security researchers at Pluto Security disclosed CVE-2026-33032 , a critical vulnerability in nginx UI, a popular web-based management tool for nginx servers
IncidentTwo recently fixed prompt injection vulnerabilities in Salesforce Agentforce and Microsoft Copilot could have allowed external attackers to leak sensitive data from enterprise systems. Here s what hap
IncidentWhat Happened In Q1 2026, Sonatype identified 21,764 open source malware packages across public repositories, with npm accounting for 75% of these. Three incidents highlighted how attackers exploit tr
StandardsCVE-2026-34040 scored 8.8 on the CVSS scale. It s a regression of vulnerabilities patched in 2019 and 2024. The fix is available in Docker Engine 29.3.1 and Docker Desktop 4.66.1. The real question is
IncidentA recent compromise of the popular Axios npm package has highlighted critical gaps in supply chain security for software development teams. Google s Threat Intelligence Group attributed the breach of
StandardsYour vulnerability management program is about to undergo a significant transformation. AI models that autonomously discover vulnerabilities at scale are now production tools. Your team needs a deploy
GeneralScope This guide addresses the operational and security risks when your team s publishing accounts—such as Microsoft Partner Center, Apple Developer, and Google Play Console—face suspension or access
IncidentWhat Happened On March 30, 2026, attackers compromised the Axios NPM package by taking over a maintainer s account. Axios, a widely used HTTP client library in JavaScript, was injected with malicious
IncidentWhat Happened TeamPCP compromised the CI/CD pipeline for Trivy, a widely-used vulnerability scanner, by stealing publishing credentials. They used these credentials to push malicious versions of both
StandardsScope This guide focuses on detecting and mitigating supply chain attacks that use audio steganography to hide malicious payloads in software packages. Our case study is the March 27, 2026 compromise
IncidentWhat Happened SafeDep discovered 36 malicious npm packages posing as legitimate Strapi CMS plugins. These packages exploited Redis and PostgreSQL connections to deploy reverse shells and steal credent
