Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The latest News and Information on Application Security including monitoring, testing, and open source.

aikido

Mini Shai-Hulud Targets SAP npm Packages With a Bun-Based Secret Stealer

Apr 29, 2026 By Raphael Silva In Aikido
A new npm supply-chain compromise is targeting the SAP developer ecosystem. The affected packages we are tracking so far are: The pattern is familiar but also a bit different: a trusted package receives a new preinstall hook, the hook runs a new setup.mjs file, and that loader downloads the Bun JavaScript runtime to execute a large obfuscated payload named execution.js. The payload is an 11.7 MB credential stealer and propagation framework.
Read Post

Datadog MCP Server, Experiments, Bits AI Security Analyst, and more | This Month in Datadog

Apr 29, 2026 By Datadog In Datadog
April’s This Month in Datadog spotlights the Datadog MCP Server, which gives AI agents secure, real-time access to Datadog telemetry, and Datadog Experiments, which lets you design, launch, and analyze experiments to see the full impact of product changes on the user journey. Plus, we cover how to: Accelerate Cloud SIEM investigations with Bits AI Security Analyst Remediate vulnerabilities in your codebase with Bits AI Dev Agent for Code Security Explore Datadog with natural language using Bits Assistant.
View Video

What Real AI Security Incidents Reveal About Today's Risks

Apr 29, 2026 By Mend In Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
View Video
aikido

Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm

Apr 23, 2026 By Ilyas Makari In Aikido
Version 2026.4.0 of the widely-used @bitwarden/cli npm package (78,000 weekly downloads) has been identified as malicious. The package contains a sophisticated multi-stage credential theft worm that explicitly names itself "Shai-Hulud: The Third Coming", a direct callback to previous Shai-Hulud supply chain campaigns, and targets developer credentials including SSH keys, cloud secrets, and even MCP configuration files.
Read Post
mend

From Panic to Playbook: Modernizing ZeroDay Response in AppSec

Apr 21, 2026 By Shannon Davis In Mend
Why the next Log4Shell will be won or lost in the first 72 hours—and what a modern zero‑day workflow looks like. Every security team remembers where they were when Log4Shell dropped. A quiet Friday afternoon in December 2021 turned into a weekend of war rooms, emergency patches, and executive updates. Years on, the Log4j fallout still shows up in breach reports—a stubborn reminder that zero‑days don’t end when the news cycle does.
Read Post
veracode

Application Security Prioritization: How the Best Teams Fix What Matters Most

Apr 21, 2026 By Natalie Tischler In Veracode
In the race to ship software faster, security teams are drowning. Not in vulnerabilities… those are abundant, predictable even. They’re drowning in noise. The average enterprise application generates thousands of security findings from multiple scanners, each screaming for attention with equal urgency. Meanwhile, developers are building faster than ever, fueled by cloud-native architectures, open-source dependencies, and AI-generated code. The uncomfortable truth?
Read Post
aikido

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow

Apr 17, 2026 By Jorian Woltjer In Aikido
Mailcow is a widely used self-hosted and open source email server that hosts everything you'd need to manage mailboxes yourself. To assess its security, we set up a local instance and ran our AI pentesting agents against it. We found three XSS vulnerabilities, including a critical vulnerability that allowed unauthenticated attackers to take over administrator accounts while looking at their logs in the UI. Gaining access to a mailbox can have a serious security impact.
Read Post

Stop Guessing AI Security: A Maturity Reality Check

Apr 16, 2026 By Mend In Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
View Video

SBOMs That Actually Matter

Apr 15, 2026 By Mend In Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
View Video

GitHub Token Recycing #github #tokenrecycling #tokens

Apr 15, 2026 By Mend In Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
View Video

Copyright © 2026 OpsMatters™. All rights reserved.