Supply Chain Compromises Impact Nx Console and GitHub Repositories

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development CI/CD pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code VS...

Malicious code in @cap-js/postgres (npm)

Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...

CVE-2026-31961 Unbounded memory allocation in Quill via unvalidated size fields in Mach-O binary parsing

Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains an unbounded memory allocation vulnerability when parsing Mach-O binaries. Exploitation requires that Quill processes an attacker-supplied Mach-O binary, which is most likely in...

Exploit for Argument Injection in Gnu Inetutils

CVE-2026-24061 GNU inetutils Telnet Detector A safe, passive...

CVE-2026-23889 pnpm has Windows-specific tarball Path Traversal

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for ./ but not .. On Windows, backslashes are directory separators...

Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-36p8-mvp6-cv38. This link is maintained to preserve external references. Original Description SummaryA command injection vulnerability CWE-78 has been found to exist in the wrangler pages deploy command. The iss...

EUVD-2018-6511

Malware in sbrugna...

EUVD-2023-2156

Malicious code in bioql PyPI...

The New Frontline: Why DevOps Became a Cyber Target

Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary. Our AI-driven podcasts are fit for on the go. Click right here to hear it all on CAASM & CDMB Inefficiencies! Your developers didn't become...

CVE-2025-49598 conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing

conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling...

CVE-2024-52582

Cachi2 is a command-line interface tool that pre-fetches a project's dependencies to aid in making the project's build process network-isolated. Prior to version 0.14.0, secrets may be shown in logs when an unhandled exception is triggered because the tool is logging locals of each function. This...

Secure Your APIs and Reduce Your Attack Surface With Modern, AI-powered API Security in Qualys Web Application Scanning (WAS)

The rise of APIs presents both opportunities and challenges in today’s hyperconnected digital world. APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in...

Practical Guidance For Securing Your Software Supply Chain

The heightened regulatory and legal pressure on software-producing organizations to secure their supply chains and ensure the integrity of their software should come as no surprise. In the last several years, the software supply chain has become an increasingly attractive target for attackers who...

An End-to-End Approach to Next-Gen Security for Web Applications & APIs

According to Verizon’s 2022 Data Breach Investigations Report, web applications remain both the top hacking vector and data breach pattern, accounting for roughly 70% of security incidents. This is because web applications are everywhere and easily probed for weaknesses. A vulnerability in any...

Kubeclarity - Tool For Detection And Management Of Software Bill Of Materials (SBOM) And Vulnerabilities Of Container Images And Filesystems

KubeClarity is a tool for detection and management of Software Bill Of Materials SBOM and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security. SBOM & vulnerability detection challenges Effective...

Workshop: Visibility Into Open Source Code

Learn how to leverage Trend Micro Cloud One - Open Source Security by Snyk with your code repositories and CI/CD pipelines to scan projects. Resulting in better visibility, tracking, and early awareness into open source issues...

Workshop: Visibility Into Open Source Code

Learn how to leverage Trend Micro Cloud One - Open Source Security by Snyk with your code repositories and CI/CD pipelines to scan projects. Resulting in better visibility, tracking, and early awareness into open source issues...

Broken pipelines for everyone!

With SonarQube 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. For people watching for a long time, this might seem like a contradiction. Let me explain. Yes, we have gone back and forth for a while on this feature, but the user community has...

What are the benefits of SAST testing in CI/CD pipelines?

Static application security testing SAST is traditionally used in software development lifecycles both early on in the process and often to "white box" test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providi...

Assess Vulnerabilities, Misconfigurations in CI/CD Pipeline

After the publication of Golden AMI Pipeline integration with Qualys, some Qualys customers reached out asking how to integrate Qualys Vulnerability Management scanning into other types of CI/CD Pipelines. To answer these questions, we've published the new guide, Assess Vulnerabilities and...