I’ve performed hundreds of security reviews over a decade. Here’s how to stack the deck in your favor. One of the most critical phases of the secure software development cycle is the security audit: an independent assessment of one’s code or systems that’s designed to flag possible flaws. I’ve…

OPSEC FAILURE OF THE YEAR How North Korea pulled off a $1.5 billion crypto heist—the biggest in history Attack on Bybit didn’t hack infrastructure or exploit smart contract code. So how did it work? Dan Goodin – Feb 24, 2025 6:41 pm | 225 An ethereum coin. Credit: CFOTO/Future Publishing via Getty…

This audio is auto-generated. Please let us know if you have feedback. Virtually all of the top officials at the Cybersecurity and Infrastructure Security Agency (CISA) have departed the agency or will do so this month, according to an email obtained by Cybersecurity Dive, further widening a growing…

You know MCP servers, right? Those handy tools that let your AI assistant send emails, run database queries, basically handle all the tedious stuff we don't want to do manually anymore. Well, here's the thing not enough people talk about: we're giving these tools god-mode permissions. Tools built by…

📅 September 21, 2025 - Latest Update Join the Discussion! This research has sparked important conversations across the security community: Hacker News Discussion: The Hidden Risk in Notion 3.0 AI Agents X (formerly Twitter) Thread: CodeIntegrity Research We encourage security researchers, AI safety…

The state-backed hackers who breached cybersecurity company F5 Inc. broke in beginning in late 2023 and lurked in the company’s systems until being discovered in August of this year, according to people who were briefed by F5 about the incident. The attackers penetrated F5’s computer systems by…

In the last few months, artificial intelligence (AI) is popping up in all kinds of headlines, ranging from technical software developer websites to the Sunday comics. There’s no secret why. Given the recent explosion in the capabilities of large language models (LLMs) and generative AI,…

OKAY. OKAY. OKAY. It can be a vulnerability. But it’s almost never the root cause. I think we need to change how we talk about prompt injection. A lot of security folks have treated it like it’s always a stand-alone vulnerability that can be fixed (including me), but I’ve changed my mind and I’m…

A new npm supply-chain campaign, SHA1-HULUD, has compromised multiple popular packages, including those from Zapier, ENS Domains, PostHog, and Postman, and resulting in the creation of repositories on GitHub containing victim data. This new campaign references the prior Shai-Hulud incident. Wiz…

Correction: After publishing, Red Hat confirmed that it was a breach of one of its GitLab instances, and not GitHub. Title and story updated. An extortion group calling itself the Crimson Collective claims to have stolen nearly 570GB of compressed data across 28,000 internal development…

Chinese national flags flutter at Tiananmen square ahead of the annual two sessions on February 29, 2024 in Beijing, China. VCG/Getty Images CNN — Suspected Chinese hackers have broken into the email accounts of attorneys and advisers at a powerful Washington, DC, law firm in an apparent…

A Prisma AIRS Power Play! Palo Alto Networks Completes Acquisition of Protect AI Read the Press Release Platform Platform Products Guardian AI Model Security with Zero Compromises Recon Scalable Red Teaming for AI Layer Runtime Security for Tomorrow’s AI Open Source ModelScan LLM Guard Secure by…

Speedrunners are Vulnerability Researchers - Zetier Home Capabilities Careers Blog Speedrunners are vulnerability researchers, they just don't know it yet February 26, 2025 a Senior Cyber Engineer Thousands of video game enthusiasts are developing experience in the cybersecurity industry by…

Introduction A few weeks back I found myself in the Semgrep slack channel trying to find out whether the extensive effort I had put into developing a set of custom security vulnerability detections as part of my work for one of my main clients was about to go out the window. The reason was Semgrep’s…

Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting for the…

TL;DR: We’re launching Opengrep, a fork of SemgrepCS, in response to its open-source clampdown. Last month, Semgrep announced major changes to its OSS project—strategically timed for a Friday, of course ;) Since 2017, Semgrep has been a cornerstone of the open-source security community, offering a…

Fortinet Confirms Exploitation Of ‘Critical’ Vulnerability In FortiOS, FortiProxy HOME ▸ news ▸ security ▸ 2025 ▸ Fortinet Confirms Exploitation Of ‘Critical’ Vulnerability In FortiOS, FortiProxy SecurityJanuary 14, 2025, 1:06 PM EST The confirmation comes after Arctic Wolf researchers said that…

We have discovered multiple security vulnerabilities in the Azure Health Bot service, a patient-facing chatbot that handles medical information. The vulnerabilities, if exploited, could allow access to sensitive infrastructure and confidential medical data. All vulnerabilities have been fixed…

ByThomas Brewster, Forbes Staff. The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here. In late October, a week before the presidential election, Kamala Harris’ cybersecurity team called Apple looking for help. A spyware…

Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution. The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative…

By Paweł Płatek In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. But with great power comes great responsibility—and potential security pitfalls. As pioneers in confidential computing security, we at Trail of Bits have…

By Matt Schwager and Travis Peters We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and…

By Boyan Milanov We’ve developed a new hybrid machine learning (ML) model exploitation technique called Sleepy Pickle that takes advantage of the pervasive and notoriously insecure Pickle file format used to package and distribute ML models. Sleepy pickle goes beyond previous exploit techniques that…

By Matt Schwager and Sam Alws We are publishing a set of 30 custom Semgrep rules for Ansible playbooks, Java/Kotlin code, shell scripts, and Docker Compose configuration files. These rules were created and used to audit for common security vulnerabilities in the listed technologies. This new release…

By Dominik Klemba and Dominik Czarnota This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around…

By Matt Schwager Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and…

By Artur Cygan Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post,…

Robert Lemos, Contributing WriterDecember 18, 2023 5 Min Read Source: Zakharchuk via Shutterstock When videoconferencing service Zoom searched for a better way to assign a severity to vulnerabilities found during bug bounty programs, the company's security team could not find a suitable approach:…

Microsoft is overhauling its security processes after a series of high-profile attacks in recent years. Security is now Microsoft’s “top priority,” the company outlined today in response to ongoing questions about its security practices and the US Cyber Safety Review Board’s labeling of Microsoft’s…

Forty percent of cyber teams have not reported a cyber incident out of fear of losing their jobs, a new report has shown. This signifies a serious underreporting of cyber breaches globally, cybersecurity company VikingCloud says. VikingCloud’s research – The 2024 Threat Landscape Report: Cyber…

Amazon has confirmed that employee data was compromised after a “security event” at a third-party vendor. In a statement given to TechCrunch on Monday, Amazon spokesperson Adam Montgomery confirmed that employee information had been involved in a data breach. “Amazon and AWS systems remain secure,…

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser. Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's…

A CrowdStrike senior executive apologized for causing a global software outage that ground the operations of hospitals, airports, payment systems and personal computers around the world to a halt in July. Adam Meyers, senior vice-president for counter-adversary operations at CrowdStrike, testified…

On Tuesday, Sept. 10, we hosted the Windows Endpoint Security Ecosystem Summit. This forum brought together a diverse group of endpoint security vendors and government officials from the U.S. and Europe to discuss strategies for improving resiliency and protecting our mutual customers’ critical…