DevSecOps

How to Build a DevSecOps CI/CD Pipeline on Azure With GitHub Actions
Fix security problems when they’re cheap to fix, which is before the code is deployed. A pipeline that enforces this automatically is what makes that principle real ...

North Korea Expands the Reach of PolinRider Supply Chain Attack Campaign
The North Korean-sponsored threat groups behind the long-running fake interview scams targeting developers are expanding the PolinRider supply chain campaign that has escalated over the past several months. Reports from cybersecurity vendors ...

‘GitLost’ Flaw Lets Attackers Trick GitHub AI Agent Into Leaking Private Repos
Noma researchers again show how easy it is to manipulate AI agents with malicious commands via indirect prompt injection attacks ...

Novee Uncovers Cordyceps: The Latest Threat to CI/CD Pipelines
A newly discovered supply chain security flaw is once again putting a spotlight on inherent weaknesses in CI/CD pipelines and the growing interest among cyberthreat actors to exploit them. Security researchers with ...

Attackers Exploit SimpleHelp Flaw to Steal Info from AI Coding Assistants, Clouds
Threat actors are exploiting a known security flaw in the SimpleHelp remote monitoring and management (RMM) software to drop two previously unknown pieces of malware that can compromise a broad range of ...

Why CI-Based Security is Too Late for Modern Node.js Projects
Most Node.js teams rely on CI pipelines to tell them whether their dependencies are secure. By the time that feedback arrives, however, the most important decisions have already been made ...

Homebrew to Packages: No ID, No Service
Homebrew, the unofficial but default package manager for many Apple Mac users, now has safeguards to prevent supply-chain attacks. The approach mimics how GitHub just fortified npm against attacks by establishing a ...

Checkmarx Adds Hybrid SAST Engine to Improve AppSec in AI Era
Checkmarx this week revealed it has re-engineered the core engines embedded within its static application security testing (SAST) tools for the agentic artificial intelligence (AI) era. At the core of that effort ...

Survey Surfaces Depth of DevSecOps Crisis in the Age of AI
A global survey of 2,350 developers, CISOs and application security managers published this week finds that while nearly all respondents (96%) work for organizations that have embedded or connected artificial intelligence (AI) ...

Shift Left to the Developer’s Machine: Building Local Git Security Gates
Shift left to the developer's machine. The principle is what matters: Stop secrets before they ship. The tooling is a means to that end. ...

Security Flaw in Claude Code Illustrates the Risk of AI in Developer Workflows
AI coding agents are reshaping software development—but they’re also expanding the attack surface. Researchers uncovered a now-patched vulnerability in Anthropic’s Claude Code GitHub Action that could have enabled prompt injection attacks to ...

IronWorm Malware Shares Shai-Hulud Traits, Takes Threat to ‘Next Level’
Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many of the attributes of the notorious Shai-Hulud self-propagating worm but comes with ...

