%term

The latest News and Information on Application Security including monitoring, testing, and open source.

Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

May 23, 2026 By Ilyas Makari In Aikido

On May 22, 2026, we detected an active supply chain attack against Laravel-Lang. We filed a report with the maintainers immediately. The attacker published malicious version tags across three widely used repositories, injecting credential-stealing code that loads automatically via composer’s autoloader feature. What makes this particularly sneaky is that the malicious code was never committed to the official repos at all.

Read Post

Aikido

Read more about Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer

Datadog Detect (May 20, 2026)

May 21, 2026 By Datadog In Datadog

Datadog Detect is a virtual mini-conference dedicated to helping security teams understand the latest in detection engineering. In this edition, featuring talks from Dropbox, Mileva Security Labs, and Datadog, learn how AI is reshaping detection and response and how to apply it to modern security operations.

View Video

Datadog

Read more about Datadog Detect (May 20, 2026)

What the 2026 Verizon DBIR Reveals About the State of Application Security

May 19, 2026 By Natalie Tischler In Veracode

Every year, the Verizon Data Breach Investigations Report sets the tone for how the industry understands the threat landscape. And every year, the most important question isn’t what’s changed — it’s whether organizations are keeping up. Based on the 2026 Verizon DBIR, the honest answer is: not fast enough.

Read Post

Veracode

Read more about What the 2026 Verizon DBIR Reveals About the State of Application Security

Shadow AI is a fear response, and banning it makes it worse

May 12, 2026 By Nicholas Thomson In Aikido

This post is based on Mackenzie's conversation with Noora Ahmed-Moshe on The Secure Disclosure podcast. Listen to the full episode. A company lost a million dollars because someone on a litigation call ran an AI note-taker. As behavioral scientist Noora Ahmed-Moshe explains on the podcast, the tool summarized a confidential conversation and sent it to the opposing party, who used it to force a settlement on their terms.

Read Post

Aikido

Read more about Shadow AI is a fear response, and banning it makes it worse

Hacking LLMs using LinkedIn #aisecurity #ai #llm

May 12, 2026 By Mend In Mend

Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.

View Video

Mend

Read more about Hacking LLMs using LinkedIn #aisecurity #ai #llm

Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack

May 12, 2026 By Raphael Silva In Aikido

Mini Shai-Hulud is back. Like I said before, we were yet to see the full scale of the attack. The npm campaign we covered in April, when it targeted SAP packages, has now turned into a much larger compromise. Our Malware Team detected 373 malicious package-version entries across 169 npm package names. The basic goal is still the same: steal credentials from developer machines and CI/CD runners, then use those credentials to reach more packages. What changed is the scale and the release path.

Read Post

Aikido

Read more about Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack

The complete GitHub Actions security checklist

May 11, 2026 By Dania Durnas In Aikido

GitHub Actions has been exploited a lot in a lot of supply chain attacks lately, and workflow misconfigurations have played big roles. It's dangerous to go alone!

Read Post

Aikido

Read more about The complete GitHub Actions security checklist

Reviewing Malicious PRs at Scale with AI

May 6, 2026 By Datadog In Datadog

As AI coding assistants accelerate software development, the volume of pull requests at Datadog has grown to nearly 10,000 per week, increasing the risk that malicious changes slip through due to review fatigue. To address this, Datadog built BewAIre, an LLM-powered code review system designed to identify malicious source code changes introduced by threat actors. By reducing approval fatigue for developers while increasing friction for attackers, BewAIre guides human reviewers to the areas where judgment matters most, without slowing developer velocity.

View Video

Datadog

Read more about Reviewing Malicious PRs at Scale with AI

Incident Response: Keeping Cool When Everything's on Fire

May 6, 2026 By Datadog In Datadog

The DevOps revolution broke down the traditional silos between development and operations, fundamentally reshaping how we build and maintain software. But with this evolution came an inevitable, and often stressful, reality for many engineers: being on-call and responding to incidents. In this session, Daljeet Sandu will explore how on-call has evolved in recent years, highlight proven best practices, and share insights into the future of incident response in DevOps.

View Video

Datadog

Read more about Incident Response: Keeping Cool When Everything's on Fire

Rolling out developer security in a 5,000+ engineer organization

May 6, 2026 By Mike Wilkes In Aikido

Large engineering organizations like to believe their biggest problems are technical. If only someone would approve the budget for the latest tool, everything would be solved. Lately, the prevailing bet is that the silver bullet is vibe coding powered by your favorite flavor of LLM. But the pathologies of large organizations are rarely technical in nature.

Read Post