Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Think of how painful it would be to spend a few weeks creating a mobile app to watch users abandon it because of a faulty update or chronic feature rollout. Your coders are fed up. Your QA team is flooded. And with every release, it is a tightrope walk with the blindfold on. That is the sad state of mobile app development without CI/CD. But here is what you can imagine: whenever your team pushes code, a test, a build, and a deploy happen automatically. No eleventh-hour rush. No delays.

On September 8, 2025, a large-scale npm supply chain attack quickly compromised 18 popular packages (with the 18 packages representing more than 2.6 billion weekly downloads within the bioinformatics ecosystem). Attackers hijacked a maintainer’s account by impersonating npm support in a phishing campaign to upload backdoored versions of popular packages like chalk, debug, ansi-styles, and supports-color.

In 5-7 years, quantum computers will likely crack RSA and other currently used encryption methods. That’s not fear-mongering. That’s math. Your enterprise code signing certificates? The ones protecting your software distributions right now? They’re sitting ducks. Every single RSA-2048 and ECDSA certificate you own will be worthless the moment a sufficiently powerful quantum computer comes online. Most enterprises have zero post-quantum cryptography strategy.

An important supply chain incident has rocked the security industry by showing us that some of the biggest security enterprises are also threatened by the risk of third-party SaaS product integrations. The incident, involving Salesloft Drift, a marketing automation solution integrated with Salesforce, resulted in the threat actor getting OAuth tokens. These tokens allowed them to exfiltrate massive volumes of sensitive data about customers, including account records, case information, and contact data.

Microsoft has also been enhancing cloud security by ensuring that multi-factor authentication (MFA) is enabled for all of its Azure and Microsoft 365 administrative accounts. The rollout will begin with Azure portals in October 2025 and progressively to command-line tools, APIs, and Infrastructure-as-Code (IaC) environments in October of that year. For organizations, it means adapting their authentication workflows to align with Microsoft’s phased enforcement plan or risk disruption.

In 2021, a critical vulnerability in a popular Node.js library allowed hackers to carry out code injection and silently compromise thousands of applications, with disastrous effects. It wasn’t a brute-force attack. It wasn’t ransomware. It was some wittily constructed pieces of malevolent code that got through defences and provided attackers with complete carte blanche. Code injection attacks are no longer rare. They’re alarmingly common.