|
By Tom Abai
Part 1 covered CanisterWorm, the self-spreading npm worm. Part 2 covered the malicious LiteLLM package. Part 3 covered the telnyx WAV steganography attack. Part 4 covered the xinference AI inference attack. This post covers: a compromised @bitwarden/cli package that combines a self-propagating npm worm, a GitHub Actions secrets dumper, and a novel AI assistant poisoning technique.
|
By Tom Abai
Part 1 covered CanisterWorm. Part 2 covered the malicious LiteLLM package. Part 3 covered the Telnyx WAV steganography attack. This post covers the latest wave: three malicious versions of xinference on PyPI, carrying the same credential-stealing playbook and a plot twist. On April 22, 2026, Mend.io’s threat detection identified malicious versions of xinference on PyPI: 2.6.0, 2.6.1, and 2.6.2.
|
By Shannon Davis
Why the next Log4Shell will be won or lost in the first 72 hours—and what a modern zero‑day workflow looks like. Every security team remembers where they were when Log4Shell dropped. A quiet Friday afternoon in December 2021 turned into a weekend of war rooms, emergency patches, and executive updates. Years on, the Log4j fallout still shows up in breach reports—a stubborn reminder that zero‑days don’t end when the news cycle does.
|
By AJ Starita
SAST, or Static Application Security Testing, is a method of analyzing source code to find vulnerabilities before the application is deployed. It's a type of white box testing that scans the code without executing it, looking for weaknesses that could be exploited. SAST helps developers identify and fix security issues early in the Software Development Life Cycle (SDLC), potentially reducing costs and improving the overall security posture of the application.
|
By Tiffany Jennings
Software Composition Analysis (SCA) tools expose the risks in open source dependencies by identifying vulnerabilities, outdated dependencies, and license issues in your codebase. Top solutions include Mend.io (best for automated remediation and proactive SCA), Sonatype Lifecycle (known for enterprise policy management), Snyk (known for developer experience), and Checkmarx SCA (known for comprehensive coverage).
|
By Shannon Davis
An AI just found critical vulnerabilities that survived decades of human review. If your security program isn’t built for this moment, it’s already behind. Surprise! An AI just did what your security team couldn’t.
|
By Shannon Davis
Mend.io’s new Docker Hardened Images integration brings DHI intelligence directly into the AppSec workflow, giving a smarter, faster path to container security. Container scanning has a noise problem. Run a standard scan against any production image, and you’ll surface thousands of CVEs.
|
By Tiffany Jennings
AI application security protects AI-powered apps, including those powered by large language models ( LLMs), from unique threats like prompt injection, data poisoning, and model theft. It achieves this by securing the entire lifecycle, including code, data, algorithms, and APIs, using specialized tools and processes that go beyond traditional security measures. It involves securing the AI model’s behavior, training data, and outputs.
|
By Tom Abai
On March 30-31, 2026, threat actors published two malicious versions of the popular HTTP library axios (versions 1.14.1 and 0.30.4) to the npm registry. Both versions included a new dependency named plain-crypto-js which, in its 4.2.1 release, contained a fully-featured cross-platform dropper that silently installed a Remote Access Trojan (RAT) on developer machines.
|
By Tom Abai
Part 1 covered CanisterWorm, the self-spreading npm worm. Part 2 covered the malicious LiteLLM package and its.pth persistence. This post covers the third wave: a compromised telnyxPyPI package that hides its payload inside audio files and delivers entirely different malware depending on the victim’s operating system.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Developers are often overwhelmed by thousands of container CVE alerts, most of which are unfixable base image noise. This walk-through covers how to use reachable risk factors and Docker VEX statements within the Mend.io platform to streamline your vulnerability management.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Behind every developer is a beloved programming language. In heated debates over which language is the best, the security card will come into play in support of one language or discredit another. We decided to address this debate and put it to the test by researching WhiteSource's comprehensive database. We focused on open source security vulnerabilities in C, Java, JavaScript, Python, Ruby, PHP, and C++, to find out which programming languages are most secure, which vulnerability types (CWEs) are most common in each language, and why.
|
By Mend
We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
|
By Mend
Developers across the industry are stepping up to take more responsibility for their code's vulnerability management. In this report we discuss trends in how security is shifting left to the earliest stages of development, putting the power developers in the front seat. We explore the growth of automated tools aimed at helping developers do more with fewer resources and look for answers on what is needed to help close the gap from detection to remediation.
|
By Mend
Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities' prioritization. This results in a lot of valuable development time wated on assessing vulnerabilities, while the critical security issues remain unattended.
- April 2026 (15)
- March 2026 (9)
- February 2026 (7)
- January 2026 (5)
- December 2025 (7)
- November 2025 (10)
- October 2025 (14)
- September 2025 (14)
- August 2025 (27)
- July 2025 (23)
- June 2025 (28)
- May 2025 (23)
- April 2025 (5)
- March 2025 (8)
- February 2025 (5)
- January 2025 (8)
- December 2024 (10)
- November 2024 (5)
- October 2024 (7)
- September 2024 (7)
- August 2024 (7)
- July 2024 (5)
- June 2024 (5)
- May 2024 (6)
- April 2024 (5)
- March 2024 (7)
- February 2024 (6)
- January 2024 (4)
- December 2023 (5)
- November 2023 (7)
- October 2023 (9)
- September 2023 (19)
- August 2023 (13)
- July 2023 (13)
- June 2023 (15)
- May 2023 (11)
- April 2023 (10)
- March 2023 (12)
- February 2023 (10)
- January 2023 (14)
- December 2022 (14)
- November 2022 (11)
- October 2022 (16)
- September 2022 (7)
- August 2022 (4)
- July 2022 (4)
- June 2022 (11)
- May 2022 (13)
- April 2022 (9)
- March 2022 (7)
- February 2022 (6)
- January 2022 (9)
- December 2021 (15)
- November 2021 (5)
- October 2021 (5)
- September 2021 (5)
- August 2021 (4)
- July 2021 (4)
- June 2021 (4)
- May 2021 (4)
- April 2021 (7)
- March 2021 (4)
- February 2021 (4)
- January 2021 (3)
- December 2020 (2)
- November 2020 (3)
- October 2020 (5)
- September 2020 (5)
- August 2020 (4)
- July 2020 (7)
- June 2020 (7)
- May 2020 (6)
- April 2020 (16)
- March 2020 (1)
- October 2018 (1)
No component overlooked. Mend identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle. The result? Faster, smoother development without compromising on security.
Not all vulnerabilities are created equal. Mend prioritizes vulnerabilities based on whether your code utilizes them or not, so you know exactly what needs your attention the most. This reduces security alerts by up to 85%, allowing you to remediate more critical issues faster.
Complete Platform:
- Mend Core: We help you keep things in order. Mend is built to streamline your open source governance. With a full layer of alerting, reporting and policy management, you are effortlessly secure and always in control.
- Mend for Developers: Mend for Developers is uniquely designed to simplify developers’ work, while keeping the code secure. Its suite of tools helps speed up integration, find problematic components, and remediate them quickly and easily.
- Mend for Containers: Mend integrates into all stages of the container development lifecycle, including container registries and Kubernetes with automated policy enforcement for maximum visibility and control.
The simplest way to secure and manage open source components in your software.