Ransomware 2025: Infostealers on the March
RL’s Ransomware Feed data from the first half of the year shows a jump in early-stage threats like infostealers — and a drop in Trojans.
Ransomware 2025: Infostealers on the March
Crypto wallets hit in widespread npm, GitHub hack
A phishing campaign against maintainers resulted in malware distribution via Javascript in top open-source packages.
PyPI domain resurrection fix: Why it matters
With attacks on popular repositories on the rise, PyPI has moved to head off a common technique for duping developers. Here’s what it accomplishes — and where there’s room for improvement.
Ethereum contracts push malware on npm
RL discovered how the crypto contracts were abused — and how this incident is tied to a larger campaign to promote malicious packages on top repositories.
The future is here: AI-assists new ransomware
ESET researchers have discovered malware that taps into OpenAI’s large language model to assist in ransomware attacks.
Threat actors claim VS Code extension names
RL has discovered a loophole on VS Code Marketplace that allows threat actors to reuse legitimate, removed package names for malicious purposes.
How DPE boost development — and AppSec
Developer Productivity Engineering provides a framework to boost code production and creativity — and can help to improve application security.
How AWS averted an AI supply chain disaster
Here are six lessons learned from the near-miss that was the Amazon Q Developer incident. Don't let luck be your security strategy.
Why AI coding security features are not enough
Integrated security in AI assistants could help to catch code flaws — but they are only one layer in a comprehensive AppSec strategy.
‘The Immutable Laws of Security’ at 25: 5 corollaries
Scott Culp’s formulation still holds true — though some additions are needed that account for software supply chain security.
OWASP GenAI IR Guide 1.0: How to put it to work
Here's how to integrate AI-specific risks into your existing security incident response (IR) playbook.
Compromised npm package threatens projects
The eslint-config-prettier package exposed more than 10,000 dependent projects. The incident highlights the growing risks in automated dependency updating.
AI coding tools revive old-school hacks
Researchers at Black Hat discussed how these tools can leave development teams vulnerable to hacks like remote-code execution.
Move over, DevSecOps — DevEx is king
Leading firms are using DevEx to achieve application security gains at speed. Here's how it works — and how to get started.
State of development: 5 key AppSec steps
Application security pros need to be ready to cope with security at the speed of code. Here's how to get a handle on modern software risk.