Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

It’s been a chaotic few weeks for Axios. First, a major supply chain attack put the package under scrutiny. Then, just days later, headlines started appearing about a “critical 10/10 vulnerability” that could lead to full cloud compromise. If you’ve read the coverage, you’ve probably seen claims like: That sounds bad. But when you look closely at how this vulnerability actually behaves in real environments, the story changes.

The revolution is here, but it’s not what we expected. AI coding assistants have transformed software development, with developers shipping code faster than ever before. GitHub Copilot, Amazon CodeWhisperer, and Claude Code have become as essential to modern development as Git itself. The productivity gains are undeniable; what once took hours now takes minutes. But there’s a dangerous blind spot in this revolution: security.

Bug bounty has been a very hot topic lately. We’re seeing high-profile programs go offline or fundamentally change: the IBB (one of the most important programs for open-source programs) is pausing submissions, curl is removing payouts and Node.js is removing its bounty entirely. That’s not noise, that's signal.

Hoppscotch is an open-source API development ecosystem, similar to Postman, with over 100,000 monthly users. Two weeks ago, we set up a self-hosted instance and ran our AI pentest agents against it. They found two high-severity vulnerabilities and one medium-severity vulnerability, all present in versions up to and including 2026.2.1, and all patched in 2026.3.0: All three were responsibly disclosed and have been resolved. Note: We accidentally grouped the XSS and an Access Control issue into one report.

AI application security protects AI-powered apps, including those powered by large language models ( LLMs), from unique threats like prompt injection, data poisoning, and model theft. It achieves this by securing the entire lifecycle, including code, data, algorithms, and APIs, using specialized tools and processes that go beyond traditional security measures. It involves securing the AI model’s behavior, training data, and outputs.

Most mobile security workflows end in a familiar way. A scan runs, a report is generated, and the output looks reassuring. There are no critical issues, maybe a few medium findings, nothing that blocks a release. The process completes, the team moves forward, and the app ships. At that moment, the assumption is clear. The app has been tested. The risk is understood. But there is a question that rarely gets asked, and it changes the entire conversation.

357 crash reports. 2 actual bugs. That is not a typo. That is the reality of modern application security testing. In a recent fuzzing campaign, over a thousand crash files were generated across billions of executions. After crash deduplication and triage, that number collapsed to just two unique issues. Not hundreds of vulnerabilities. Not dozens of risks. Two. And yet, most security teams would have celebrated the initial numbers.