
‘Download pumping’ joins the trust-abuse bandwagon
While this repository vector is not new, researchers have uncovered a new twist for exploiting trusted metrics to hide malicious code.

Freelance technology writer. John's work has appeared in the The Boston Globe and Boston Herald, as well as CFO, CIO, CSO, and Inc. magazines. He is a former managing editor of the Boston Business Journal and Boston Phoenix, as well as a staff writer for Government Security News.
find John P. Mello Jr. on:

While this repository vector is not new, researchers have uncovered a new twist for exploiting trusted metrics to hide malicious code.

The Life and Times of Cybersecurity Professionals study highlights a trend that has accelerated as cyber has become more complex.

Agentic AI is moving the perimeter from components to data — and most strategies aren't built for that.

Disabling scripts by default closes the vector worms like Shai-Hulud rely on. Here's what the update fixes — and what it doesn't.

The standard connecting AI agents to tools and data leaves security to others. Make it a do-over.

OWASP's new dependency scanner gives developers actionable fixes. But supply chain attacks aren’t yet CVEs.

48,000 CVEs were reported in 2025 — but just 58 were critical. A new report highlights why signal-to-noise ratio matters for AppSec.

VM success is determined by findings reaching developers with context — which is getting more challenging. Here's why to shift gears.

This TeamPCP attack is a serious wakeup call about software supply chain security — and the problems with implicit trust.
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free Trial