Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

When we think about software security risks, we often focus on immediate threats—new vulnerabilities discovered in the latest release or zero-day exploits making headlines. But beneath the surface lies a more insidious problem, especially in the public sector: security debt. This hidden risk accumulates quietly, but its impact can be severe, eroding the integrity, resilience, and trustworthiness of government software systems.

In the ever-vigilant effort to secure the open-source ecosystem, Veracode’s continuous monitoring systems recently flagged a pair of npm malware packages—solders and @mediawave/lib. The malicious behavior, however, is not at all obvious at first because of a layer of unusual Unicode obfuscation that caught our attention. Our investigation focused on the solders package, which leverages a common yet critical attack vector: a postinstall script in its package.json.

Maintaining continuous code quality is critical—not only to ensure functionality, but also to safeguard against security vulnerabilities. However, the challenge of balancing speed, complexity, and security is a tough one. Enter AI-powered solutions like Veracode Fix, which are transforming how organizations detect, remediate, and prevent software flaws — all while improving developer productivity and code quality.

In today’s cybersecurity landscape, security teams face a daunting challenge: managing an ever-growing volume of risks with limited time and resources. Traditional manual risk resolution methods are no longer sufficient. They slow down response times, increase the risk of human error, and strain already stretched teams—ultimately compromising the organization’s security posture. That’s where automated risk resolution comes in.

Understanding the security posture of your application stack is increasingly important. Exploitation of vulnerabilities surpassed phishing as the known initial access vectors in non-Error, non-Misuse breaches, according to the Verizon 2025 Data Breach Investigations Report. As a CISO or security leader, are you prepared for this shift in the industry?

Securing your applications is vital in today’s fast-moving world of software development. With threats constantly getting smarter, developers need strong tools to identify and fix weaknesses right from the start. Just ask Alex, a developer who once spent a sleepless night fixing a last-minute security flaw. That’s where Veracode SAST comes in. This powerful tool not only scans your source code and binary files but also integrates seamlessly with your IDEs, repositories, and CI/CD pipelines.

Security teams are drowning in data. From static application security testing (SAST) and software composition analysis (SCA) to cloud security posture management (CSPM) and third-party findings, the sheer volume and variety of vulnerability data can overwhelm even the most sophisticated organizations. The problem isn’t just collecting this data—it’s making sense of it. Most solutions fail to unify these disparate data sources into a single, actionable view, leaving teams grappling with.

Modern application environments are increasingly complex, combining containers, microservices, CI/CD pipelines, and ephemeral compute. While Static Application Security Testing (SAST) and Software Composition Analysis (SCA) can uncover vulnerabilities during build time, they often leave a critical gap: runtime security flaw detection and determining whether a detected flaw is actually exploitable and running in production.

Our security monitoring systems recently flagged a suspicious npm package, os-info-checker-es6, which represents a sophisticated and evolving threat within the npm ecosystem. What initially appeared as a simple OS information utility quickly unraveled into a sophisticated multi-stage malware attack. This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload.

Shifting left in security, or integrating security early in the software development lifecycle (SDLC), can help your organization save time and money. By identifying and addressing potential security flaws early, organizations can reduce the likelihood of vulnerabilities being exploited in production applications. This proactive approach is more cost-effective and time-efficient, as it prevents the accumulation of technical debt and minimizes the need for extensive rework or redesign.