|
By Alina Podoba
On 2026-05-22, an attacker rewrote every repository tag across four Composer packages in the Laravel-Lang ecosystem to point at malicious commits. The affected packages are laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. The rewrite took place on 2026-05-22 into the early hours of 2026-05-23. Every malicious commit makes the same two-file change: one entry added to composer.json, and one new file at src/helpersphp.
|
By Tiffany Jennings
The Cyber Resilience Act (CRA) is an EU regulation that sets binding cybersecurity requirements for any "product with digital elements" placed on the European Union market. It is the first horizontal EU law that holds manufacturers accountable for the security of hardware and software throughout the entire product lifecycle—from design to end-of-support.
|
By Alina Podoba
An active supply chain attack has compromised 323 npm packages published under the atool npm maintainer account. The wave sweeps the entire @antv data-visualization organization alongside standalone libraries with wide independent adoption: echarts-for-react, timeago.js, size-sensor, and canvas-nest.js. With echarts-for-react pulling roughly 1.1 million weekly downloads, any project that auto-updates these packages is in scope.
|
By Maciej Mensfeld
On May 11, 2026, Mend Defender flagged more than 120 malicious packages newly published to RubyGems — the standard package manager for the Ruby ecosystem. Within 24 hours, that initial cluster expanded into something far larger: tens of thousands of packages pushed by thousands of attacker-controlled accounts, forcing RubyGems to suspend new account registration entirely while the cleanup got underway.
|
By Tom Abai
The Mini Shai-Hulud supply chain campaign has resurfaced with its largest wave yet. Over a 48-hour window on May 11-12, 2026, attackers compromised 172 unique packages across 403 malicious versions on npm and PyPI, including high-profile scopes like @tanstack, @uipath, @mistralai, and @opensearch-project.
|
By Jamie Tanna
At Mend.io, we understand better than some the weight that sits atop the shoulders of open source maintainers who support the ecosystem at large. These maintainers need to keep on top of supply chain security best practices, keep their dependencies up-to-date, taking on new contributions from users, all the while trying to squeeze that into their “off hours”.
|
By Tiffany Jennings
Static Application Security Testing (SAST) has become a critical part of modern DevSecOps. With software supply chain attacks rising and compliance requirements tightening, organizations need reliable SAST solutions that integrate into development workflows, reduce false positives, and deliver actionable remediation. Choosing the right tool is not just about scanning for vulnerabilities, it is about empowering developers to code securely without slowing delivery.
|
By Tom Abai
Mend’s security research team has identified a previously undocumented fifth wave of the PhantomRaven campaign, an ongoing NPM supply chain attack that has been stealing developer credentials and secrets since August 2025. This new wave uses a fresh command-and-control server, 33 new malicious packages, and a more sophisticated three-stage payload chain.
|
By Dor Hayun
A new Linux kernel LPE disclosed by Theori/Xint lets any unprivileged local user become root with a 732-byte Python script. Works first try, no race, no per-kernel offsets. CVSS 7.8 (High), effectively critical for shared-kernel and multi-tenant environments.
|
By Tom Abai
This post covers a supply chain attack introducing a capability not seen before: using an AI coding assistant’s own GitHub access to commit malicious code to a corporate repository.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
|
By Mend
Developers are often overwhelmed by thousands of container CVE alerts, most of which are unfixable base image noise. This walk-through covers how to use reachable risk factors and Docker VEX statements within the Mend.io platform to streamline your vulnerability management.
|
By Mend
Behind every developer is a beloved programming language. In heated debates over which language is the best, the security card will come into play in support of one language or discredit another. We decided to address this debate and put it to the test by researching WhiteSource's comprehensive database. We focused on open source security vulnerabilities in C, Java, JavaScript, Python, Ruby, PHP, and C++, to find out which programming languages are most secure, which vulnerability types (CWEs) are most common in each language, and why.
|
By Mend
We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
|
By Mend
Developers across the industry are stepping up to take more responsibility for their code's vulnerability management. In this report we discuss trends in how security is shifting left to the earliest stages of development, putting the power developers in the front seat. We explore the growth of automated tools aimed at helping developers do more with fewer resources and look for answers on what is needed to help close the gap from detection to remediation.
|
By Mend
Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities' prioritization. This results in a lot of valuable development time wated on assessing vulnerabilities, while the critical security issues remain unattended.
- May 2026 (13)
- April 2026 (17)
- March 2026 (9)
- February 2026 (7)
- January 2026 (5)
- December 2025 (7)
- November 2025 (10)
- October 2025 (14)
- September 2025 (14)
- August 2025 (27)
- July 2025 (23)
- June 2025 (28)
- May 2025 (23)
- April 2025 (5)
- March 2025 (8)
- February 2025 (5)
- January 2025 (8)
- December 2024 (10)
- November 2024 (5)
- October 2024 (7)
- September 2024 (7)
- August 2024 (7)
- July 2024 (5)
- June 2024 (5)
- May 2024 (6)
- April 2024 (5)
- March 2024 (7)
- February 2024 (6)
- January 2024 (4)
- December 2023 (5)
- November 2023 (7)
- October 2023 (9)
- September 2023 (19)
- August 2023 (13)
- July 2023 (13)
- June 2023 (15)
- May 2023 (11)
- April 2023 (10)
- March 2023 (12)
- February 2023 (10)
- January 2023 (14)
- December 2022 (14)
- November 2022 (11)
- October 2022 (16)
- September 2022 (7)
- August 2022 (4)
- July 2022 (4)
- June 2022 (11)
- May 2022 (13)
- April 2022 (9)
- March 2022 (7)
- February 2022 (6)
- January 2022 (9)
- December 2021 (15)
- November 2021 (5)
- October 2021 (5)
- September 2021 (5)
- August 2021 (4)
- July 2021 (4)
- June 2021 (4)
- May 2021 (4)
- April 2021 (7)
- March 2021 (4)
- February 2021 (4)
- January 2021 (3)
- December 2020 (2)
- November 2020 (3)
- October 2020 (5)
- September 2020 (5)
- August 2020 (4)
- July 2020 (7)
- June 2020 (7)
- May 2020 (6)
- April 2020 (16)
- March 2020 (1)
- October 2018 (1)
No component overlooked. Mend identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle. The result? Faster, smoother development without compromising on security.
Not all vulnerabilities are created equal. Mend prioritizes vulnerabilities based on whether your code utilizes them or not, so you know exactly what needs your attention the most. This reduces security alerts by up to 85%, allowing you to remediate more critical issues faster.
Complete Platform:
- Mend Core: We help you keep things in order. Mend is built to streamline your open source governance. With a full layer of alerting, reporting and policy management, you are effortlessly secure and always in control.
- Mend for Developers: Mend for Developers is uniquely designed to simplify developers’ work, while keeping the code secure. Its suite of tools helps speed up integration, find problematic components, and remediate them quickly and easily.
- Mend for Containers: Mend integrates into all stages of the container development lifecycle, including container registries and Kubernetes with automated policy enforcement for maximum visibility and control.
The simplest way to secure and manage open source components in your software.