.avif)
Software Supply Chain Security News
Stay up to date with the latest software supply chain security incidents, including malicious packages, dependency attacks, and real-world breaches. We break down what happened, why it matters, and what developers should fix to stay ahead.
Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud
Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.
Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files
A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.
The malware dating guide: Understanding the types of malware on NPM
A breakdown of real-world malicious npm packages and the techniques they use to exploit the JavaScript supply chain.
Top 9 Docker Container Security Vulnerabilities
Discover the top Docker container security vulnerabilities, their risks, and best practices to secure your applications against modern container threats
Hide and Fail: Obfuscated Malware, Empty Payloads, and npm Shenanigans
Investigating a failed npm malware campaign using time-delayed payloads, obfuscation tricks, and reused dependencies.
Malware hiding in plain sight: Spying on North Korean Hackers
When a malicious NPMjs package was uploaded, we didn't expect we would be watching the North Korean Lazarus group debug it in real time. But we did/
Get the TL;DR: tj-actions/changed-files Supply Chain Attack
Let’s get into the tj-actions/changed-files supply chain attack, what you should do, what happened, and more information.
Prisma and PostgreSQL vulnerable to NoSQL injection? A surprising security risk explained
Discover how Prisma ORM and PostgreSQL can be vulnerable to operator injection, a form of NoSQL injection. Learn how attackers exploit this risk and get practical tips to secure your JavaScript applications with input validation and safe query practices.
Command injection in 2024 unpacked
Command injection continues to be a significant vulnerability in applications. This report reviews how many injection vulnerabilities are found in closed and open-source projects throughout 2024
Path Traversal in 2024 - The year unpacked
This report looks at how prominant path traversal is in 2024 by analysing how many vulnerabilities involving path traversal were discovered in open-source and closed-source projects.
The State of SQL Injection
SQL injection also known as SQLi is one of the longest standing vulnerabilities still prominant today. This report reviews the trend of SQLi for 2024
110,000 sites affected by the Polyfill supply chain attack
A critical supply chain attack has compromised over 110,000 websites via cdn.polyfill.io—remove it immedaitely to protect user data and app integrity.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
