AI coding agents are reshaping software development—but they’re also expanding the attack surface. Researchers uncovered a now-patched vulnerability in Anthropic’s Claude Code GitHub Action that could have enabled prompt injection attacks to expose CI/CD secrets, API keys, and credentials. As AI agents gain autonomy in development workflows, organizations must treat untrusted inputs as hostile…
Broadcom today released a raft of updates to the open source Spring framework for building Java applications to primarily address a wave of vulnerabilities discovered by researchers using artificial intelligence (AI) tools. At the same time, Broadcom is also adding a managed service through which organizations can secure thousands of Spring dependencies for organizations building […]
Secure Code Warrior this week extended the capability of its artificial intelligence (AI) agent to make it possible to surface relevant training insights in real time as application developers are writing code. Announced at the Gartner Security & Risk Management Summit, the Adaptive Learning capability added to the company’s learning platform detects which AI tools […]
Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many of the attributes of the notorious Shai-Hulud self-propagating worm but comes with functions that make it more difficult for defenders to detect and to reverse engineer. Dubbed “IronWorm,” the infostealer is built in the Rust […]
Harness this week acquired Codecov, a provider of a platform that analyzes the percentage of a codebase that has been tested, from Sentry. Brad Rydzewski, a senior vice president and general manager for Harness, said Codecov makes it simpler for DevOps teams to track testing coverage at a time when the volume of code being […]
For most of the past decade, the conversation around regression testing tools was fairly stable. The tools got faster, the integrations got smoother, and the underlying approach stayed largely the same: write tests, run them in CI, fix failures. The fundamental model did not change much because the problem did not change much. AI-assisted development […]
The threat group behind the notorious Mini Shai-Hulud worm last month put the complete source code for the malware into a GitHub repository, essentially open sourcing the threat so that other bad actors can create their own variants. GitHub reportedly took down the repository shortly after it appeared, but the damage was already done, with […]
IBM and Red Hat aren’t the only ones that mean to lock down open-source code against AI hacking tools. Last week, IBM and Red Hat launched Project Lightwell to protect open-source projects with $5 billion and 20 thousand engineers. Not to be outdone, with tongue in cheek, Chainguard’s CEO Dan Lorenc announced a $50 million, […]
Claude Code Security uses AI reasoning to catch complex vulnerabilities in code — including logic flaws that traditional static analysis tools consistently miss.
IBM and Red Hat are bringing together what they’ve learned from frontier AI models and 20,000 engineers to launch Project Lightwell, a $5 billion initiative aimed at helping enterprises better secure their open source software, work that has become more challenging in the age of such models as Anthropic’s Claude Mythos Preview. Mythos and similarly […]
This year's report shows how credential sprawl across DevOps, SaaS, CI/CD, the cloud, and developer laptops turns initial access into operational impact.
A report published by JFrog finds that cybercriminals are now increasingly targeting the artificial intelligence (AI) tools and platforms used by application development teams. Based on an analysis of 18.2 billion artifacts managed via the JFrog Platform, security researchers discovered 969 AI agent skills carrying high-impact payloads in addition to 495 malicious AI models on […]
DORA metrics have been a reliable compass for engineering teams for over a decade. Deployment frequency, lead time for changes, change failure rate, mean time to recovery, and reliability give teams a shared language for talking about delivery performance. The research behind them is solid, the benchmarks are well-established, and most engineering leaders know what […]
Checking for dependency vulnerabilities in freshly developed software is usually done near the end of the build process. Remediation at that point can be tricky. Now, JavaScript and TypeScript developers can check for vulnerabilities themselves as they – or their agents – write their source code, using an open source project called CVE Lite CLI. […]
A dangerous vulnerability found in Anthropic’s popular Claude Code developer model could have allowed bad actors to grab control of a victim’s system by luring them into clicking on a crafted malicious deeplink. Once in, the attacker could exploit the remote code execution (RCE) security flaw to execute arbitrary commands – such as shell commands […]
The moment you push your code, deployment fires off on its own. The pipeline kicks in, the tests sail through, and within a few minutes your app is live in production. There is no manual sign-off and no one scanning through the final changes. Everything is running on the decisions of an AI agent plugged […]
This is where smart KYC enforcement layers fit in — not a compliance box, but an engineering control that is directly part of DevOps processes.
Modern CI/CD pipelines have become one of the most attractive attack surfaces in enterprise environments. As organizations push for faster releases, broader automation, and greater reuse of third-party components, the software supply chain has quietly expanded beyond the direct control of any single team. Source code is only one small piece of what ultimately runs in […]
Injecting GenAI into applications is deceptively easy. Need a new chatbot backed by an LLM? Grab an OpenAI API key and you can throw together an MVP in an afternoon. This is the pattern teams have used to push AI features into apps for the last few years. The problem, as with previous tech hype […]
GitHub says attackers accessed thousands of internal repositories after a company employee’s device was compromised through a malicious Visual Studio Code extension, though the company said it has removed the malicious extension, isolated the compromised endpoint, and launched an investigation. The company confirmed that approximately 3,800 internal repositories were affected. GitHub stated that…
The EU’s Cyber Resilience Act kicks into high gear this September, and companies are still clueless about how they must obey its strictures. MINNEAPOLIS — At Open Source Summit North America, Christopher “CRob” Robinson, Chief Security Architect for the Open Source Software Foundation (OpenSSF), spoke about the European Union’s (EU) Cyber Resilience Act (CRA). CRob […]
Today’s business world operates in a state of constant change. What the customer wants to buy changes quickly, new competitors appear overnight, and cyber threats are changing faster than ever. In this world, the concept of “resilience,” the ability to adapt, to overcome, and to continue to create value for the enterprise despite the changes, […]
The latest series of attacks using the notorious Shai-Hulud worm puts into sharp focus the threats facing software developers and their CI/CD pipelines, an issue that has been raised in recent months as bad actors increasingly turn their attention to DevOps environments. That said, these most recent Shai-Hulud incidents attributed to the TeamPCP group also […]
Imaginez une flotte de camions lourds silencieux, sans émissions, qui traversent les autoroutes américaines pour livrer les colis Amazon. Ce scénario, encore futuriste il y a quelques années, devient réalité grâce à un partenariat stratégique entre le géant du e-commerce et une startup suédoise innovante. Cette collaboration marque une étape importante dans la décarbonation du […]
The post…
A deployment starts failing late on a Friday evening. The initial assumption is that something changed in the application release. Teams start checking container images, Terraform plans and recent commits. Nothing looks wrong. A few hours later, someone discovers the actual issue: a deployment token tied to an old automation workflow expired months ago. The […]
Security teams have long relied on static analysis tools to catch vulnerabilities before code ships. Those tools are useful, but they have a fundamental limitation: they match code against known patterns. They don’t understand your application. AWS is taking a different approach with its latest addition to AWS Security Agent. The company recently released full […]
Hacktron revealed today it is developing a platform that leverages artificial intelligence (AI) to continuously test code for vulnerabilities. Fresh off raising $2.9 million in seed capital, Hacktron founder Zayne Zhang said the company’s platform will employ multiple AI models to test every pull request and code change to identify vulnerabilities that are actually exploitable. […]
OpenAI has moved deeper into enterprise cybersecurity with the launch of Daybreak, a platform that identifies software vulnerabilities, validates fixes, and speeds up patching workflows using AI models and its Codex Security system. Daybreak places OpenAI more directly in competition with Anthropic, whose Project Glasswing and Claude Mythos models also offer dual-use AI systems built […]
Waiting for a single annual pentest to secure your application is like locking your front door only once a year and hoping for the best. In an era where 133 new vulnerabilities are reported every single day, relying on periodic snapshots leaves your organization exposed to evolving threats for months at a time. This approach is no longer just […]
Modern applications rely on open source components for up to 90% of their code, creating a vast attack surface dominated by inhemalicious supply chain injections. High-profile incidents like Log4j and the sabotage of colors.js highlight that traditional scanning often fails to detect sophisticated "protestware" or dependency confusion, necessitating 19 practical controls focused on strict intake…