security

Malware Security Announcements AI Engineering Technology Open Source SCA Compliance & SBOM CI/CD

Security

prt-scan: A 5-Phase GitHub Actions Credential Theft Campaign

A throwaway GitHub account submitted 219+ malicious pull requests in a single day, each carrying a 352-line payload that steals CI secrets, injects workflows, bypasses label gates, and scans /proc...

Security

Trivy Supply Chain Compromise: What Happened, What Was Stolen, and How to Respond

A consolidated technical reference for the TeamPCP supply chain attack against Aqua Security's Trivy scanner. Covers the full attack chain from AI-assisted initial breach through credential theft,...

Threat Modeling the AI-Native SDLC: Supply Chain Security in the Age of Coding Agents

AI agents are rewriting the software development lifecycle. From vibe coding to autonomous CI/CD, every phase now involves an LLM making decisions about your code and dependencies. Here is a threat...

sl4x0 Dependency Confusion: 92 Packages Target Fortune 500

A sustained dependency confusion campaign by the sl4x0 actor likely targets 20+ organizations including Adobe, Ford, Sony, and Coca-Cola with 92+ malicious npm packages exfiltrating developer data...

How to Write Time-Based Security Policies in SafeDep vet

Protect against unknown malicious open source packages by enforcing a supply chain cooling-off period using the now() CEL function in SafeDep vet.

Gryph: Audit Trail for AI Coding Agents

AI coding agents operate with broad access to your codebase, credentials, and shell. Gryph logs every action they take to a local SQLite database, making agent behavior visible, queryable, and...