A malicious Model Context Protocol package was found in the wild last week. Here are lessons from the compromise of the AI interface tool.
Read More about The Postmark MCP server attack: 5 key takeaways
Here's what you need to know about the discovery of the first self-replicating npm worm, which compromised packages with cloud token-stealing malware.
Read More about FAQ: The Shai-hulud npm worm attack explained
While security defenders welcomed the new vulnerability-validation tool, others stress it can be just as useful for would-be attackers.
Read More about CVE-Genie raises the stakes in the vulnerability management race
AI coding and other modern development practices mean flawed code will continue to ship. Here are key recommendations for managing software risk.
Read More about Deadlines vs. secure code: What AppSec teams can do
The new guidance would raise the bar for software vendors, who will need to ensure the SBOMs they generate are more detailed and machine-readable.
Read More about CISA’s new SBOM standards go beyond checkbox security
CSA’s AI Controls Matrix can help development and AppSec teams distill priorities for securing the AI software supply chain.
Read More about Developing trustworthy AI: 9 key threat categories
The new procurement tool seeks to strengthen third-party software risk management (TPSRM). But the process is manual and cumbersome.
Read More about CISA tool aims to boost security for software onboardingThe new procurement tool seeks to strengthen third-party software risk management (TPSRM). But the process is manual and cumbersome.
Read More about CISA tool aims to boost security for software onboarding
A phishing campaign against maintainers resulted in malware distribution via Javascript in top open-source packages.
Read More about Crypto wallets targeted in widespread hack of npm, GitHub
With attacks on popular repositories on the rise, PyPI has moved to head off a common technique for duping developers. Here’s what it accomplishes — and where there’s room for improvement.
Read More about PyPI tackles domain resurrection: Why it matters — and what’s missing
ESET researchers have discovered malware that taps into OpenAI’s large language model to assist in ransomware attacks.
Read More about The future is here: AI-borne ransomware has arrived
Here are six lessons learned from the near-miss that was the Amazon Q Developer incident. Don't let luck be your security strategy.
Read More about How AWS averted an AI coding supply chain disaster
Integrated security in AI assistants could help to catch code flaws — but they are only one layer in a comprehensive AppSec strategy.
Read More about AI coding tools gain security — but the controls do not cut it
Scott Culp’s formulation still holds true — though some additions are needed that account for software supply chain security.
Read More about ‘The Immutable Laws of Security’ at 25: 5 corollaries for a new era
Here's how to integrate AI-specific risks into your existing security incident response (IR) playbook.
Read More about OWASP GenAI Incident Response Guide 1.0: How to put it to work