Device code phishing bypasses password stealing
The Microsoft 365 phishing campaign persuades victims to complete a real authentication process that authorizes an attacker-controlled device.
Featured
Device code phishing bypasses password stealing
How to defend ARM64 cloud infrastructure from ITScape
RL has documented CVE-2026-46316, and developed two YARA rules to help detect exploits of the multi-tenant cloud vulnerability.
MCP security tracks API's playbook — we know how that ends
The standard connecting AI agents to tools and data leaves security to others. Make it a do-over.
Latest
Device code phishing bypasses password stealing
The Microsoft 365 phishing campaign persuades victims to complete a real authentication process that authorizes an attacker-controlled device.
How to defend ARM64 cloud infrastructure from ITScape
RL has documented CVE-2026-46316, and developed two YARA rules to help detect exploits of the multi-tenant cloud vulnerability.
MCP security tracks API's playbook — we know how that ends
The standard connecting AI agents to tools and data leaves security to others. Make it a do-over.
Working with agentic AI: A SecOps survival guide
Agentic AI will disrupt how SOC teams are built — and the way CISOs hire. Here’s how to embrace AI.
Phishing attacks leverage TikTok, Instagram Reels
RL has discovered two social engineering attack techniques targeting users via short-form videos. Here’s how they work.
How 56 npm packages used binding.gyp to steal secrets
The attack is notable for its breadth, flooding npm with malicious package versions.
Dependency remediation bolstered with CVE Lite CLI
OWASP's new dependency scanner gives developers actionable fixes. But supply chain attacks aren’t yet CVEs.
Get ahead of frontier AI: 5 AppSec strategy upgrades
Frontier AI is collapsing the time from vulnerability discovery to exploit. Here are 5 ways to update your AppSec before it hits.
CVE noise drowns out supply chain threats
48,000 CVEs were reported in 2025 — but just 58 were critical. A new report highlights why signal-to-noise ratio matters for AppSec.
31 Red Hat npm packages backdoored in 72 seconds
RL has discovered a new supply chain attack affecting 9.8M total downloads across Red Hat's Hybrid Cloud Console JavaScript ecosystem.
Forrester Names RL in Agentic Development Security Market
The new landscape report maps 35 vendors addressing an emerging category of risk: AI agents writing insecure code at machine speed.
5 lessons from vulnerability management's front lines
VM success is determined by findings reaching developers with context — which is getting more challenging. Here's why to shift gears.
Dependency attack takes down ed-tech platform at scale
The Canvas LMS supply chain compromise — which hit during finals week — shows the impact of cascading attacks.
Researcher's Notebook: Hunting Megalodon Fossils
Analyzing C2 responses from compromised GitHub Actions linked a current threat to an earlier one, showing the value of retrohunting.
GitHub breach: The development ecosystem is in the hot seat
This TeamPCP attack is a serious wakeup call about software supply chain security — and the problems with implicit trust.