Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On May 11, 2026, between 19:20 and 19:26 UTC, 84 malicious npm package artifacts were published across 42 packages in the @tanstack namespace. The packages were not published by an attacker who stole credentials; they were published by TanStack's legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow. The malicious versions spread to Mistral AI, UiPath, and dozens of other maintainers within hours.

According to the State of Application Security report 2025 Report, DDoS attacks targeting retail and e-commerce increased by 420%, API attacks rose by 104%, and API vulnerability exploitation grew 13-fold. For modern e-commerce, which relies heavily on APIs for mobile apps, third-party logistics, payment gateways, and inventory management, this is a critical vulnerability.

For about thirty years, security has rested on the assumption that the measures guarding your systems do not have opinions. A firewall does not care how politely you ask it to open a port. An SQL filter does not weigh the context of a query before deciding whether to pass it through. An authentication check does not get distracted or talked round. You either present the right credential or you do not, and the answer is the same every time you ask.

A high-severity double-free vulnerability in Apache HTTP Server 2.4.66 allows low-privileged attackers to remotely crash vulnerable servers through a crafted HTTP/2 request sequence, with a demonstrated path to remote code execution on common Linux deployments. Tracked as CVE-2026-23918, the vulnerability exists in Apache’s mod_http2 module and affects deployments using multi-threaded MPMs such as worker and event.

Top tips is a weekly column where we highlight what’s trending in the tech world and share ways to stay ahead. This week, we’re looking at how the gap between a vulnerability and an attack is shrinking rapidly. A vulnerability is discovered. It could be a small bug, a missed update, or a gap in how a system is configured. It gets reported, documented, and sometimes even publicly disclosed. For a long time, there used to be an extended window between discovery and attack.

CVE-2026-0300 is a critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS. It allows unauthenticated remote attackers to send specially crafted packets and execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls. The flaw, actively exploited in the wild since early May 2026, stems from improper handling of input in the authentication portal service.

Understanding the difference between penetration testing and vulnerability assessment is an important part of building an effective security programme. While the terms are often used interchangeably, they serve distinct purposes and provide different types of insight into an organisation’s risk profile. For technology-led organisations, particularly those operating complex SaaS platforms or cloud environments, both approaches have a role to play.