How 56 npm packages used binding.gyp to steal CI/CD secrets
The attack is notable for its breadth, with the threat actor flooding npm with malicious package versions.
Featured
How 56 npm packages used binding.gyp to steal CI/CD secrets
Get ahead of frontier AI: 5 AppSec strategy upgrades
Frontier AI is collapsing the time from vulnerability discovery to exploit. Here are 5 ways to update your AppSec before it hits.
Dependency remediation bolstered with CVE Lite CLI
OWASP's new dependency scanner gives developers actionable fixes. But today's supply chain attacks aren’t in any advisory database.
Latest
How 56 npm packages used binding.gyp to steal CI/CD secrets
The attack is notable for its breadth, with the threat actor flooding npm with malicious package versions.
Dependency remediation bolstered with CVE Lite CLI
OWASP's new dependency scanner gives developers actionable fixes. But today's supply chain attacks aren’t in any advisory database.
Get ahead of frontier AI: 5 AppSec strategy upgrades
Frontier AI is collapsing the time from vulnerability discovery to exploit. Here are 5 ways to update your AppSec before it hits.
CVE noise drowns out supply chain threats
48,000 CVEs were reported in 2025 — but just 58 were critical. A new report highlights why signal-to-noise ratio matters for AppSec.
31 Red Hat npm packages backdoored in 72 seconds
RL has discovered a new supply chain attack affecting 9.8M total downloads across Red Hat's Hybrid Cloud Console JavaScript ecosystem.
Forrester Names RL in Agentic Development Security Market
The new landscape report maps 35 vendors addressing an emerging category of risk: AI agents writing insecure code at machine speed.
5 lessons from vulnerability management's front lines
VM success is determined by findings reaching developers with context — which is getting more challenging. Here's why to shift gears.
Dependency attack takes down ed-tech platform at scale
The Canvas LMS supply chain compromise — which hit during finals week — shows the impact of cascading attacks.
Researcher's Notebook: Hunting Megalodon Fossils
Analyzing C2 responses from compromised GitHub Actions linked a current threat to an earlier one, showing the value of retrohunting.
GitHub breach: The development ecosystem is in the hot seat
This TeamPCP attack is a serious wakeup call about software supply chain security — and the problems with implicit trust.
AI agents are the new insider threat
AI security leader and author Steve Wilson explains why you need to rethink security — and treat AI agents as digital workers.
Hackers Abuse Parental Controls to Hijack Google Accounts
Learn how attackers are re-casting adults as minors to bypass recovery and lock users out.
Spectra Analyze, Spectra Core Update: Deeper Detection, Smarter Analysis
RL threat detection and binary analysis can now close the gap for threat hunters.
Shai-Hulud code drop: It’s open season for attacks
The npm malware's public release provides a ready-made blueprint for threat actors. Take action on supply chain security.
RL Joins NATO Locked Shields Cyber Event: 3 Takeaways
ReversingLabs joined defensive teams with its malware analysis platform. Here are key lessons.