Blog

Treating a security patch as a signal, not a conclusion, led us to discover how arbitrary file writes became remote code execution in Argo Workflows.

See how Endor Labs brings developer-friendly security to life with real demo clips. Watch how vulnerabilities are prevented, prioritized, and fixed—right inside IDEs, PRs, pipelines, and Jira.

AI coding tools promise speed, but hidden security burdens drain developer productivity. Learn how context-aware AppSec cuts noise, boosts velocity, and improves DX.

React and Next.js contain a critical RCE vulnerability

A breakdown of npm worms, how Shai-Hulud spread across the ecosystem, and the key security practices every team needs to prevent large-scale compromise.

Analysis of Shai-Hulud 2, a new npm supply chain attack

A look at the 2025 update to the OWASP Top 10, the most significant update since 2021

Endor Labs celebrates emerging AppSec talent at OWASP Global AppSec, highlighting Bryce’s Space Badge and investing in his future with a $5,000 scholarship.

Cut through duplicate alerts by mapping findings from static and dynamic analysis, so teams can focus on remediating the vulnerabilities that matter.

Endor Labs AI SAST detects business logic flaws and reduces false positives by up to 95% by orchestrating multiple AI agents to review code.

Together Endor Labs and Upwind deliver complete visibility across code and cloud for strong security posture management across the SLDC.

How a sophisticated spam campaign hijacked popular NPM packages with Indonesian food names as part of a global software supply chain attack.

Endor Labs reveals critical RCE flaws in Happy DOM, showing how weak JavaScript sandboxes enable prototype pollution and unsafe code execution in Node.js.

Endor Labs now offers native support for OWASP SPVS, helping teams secure every stage of the software delivery pipeline from Plan to Operate.

The 2025 update to the OWASP Top 10 for Web Applications elevated software supply chain failures to the third leading risk.

Critical SQL Injection Vulnerability in Django (CVE-2025-64459). Learn what happened, root cause, impact, and how to mitigate.

Traditional SAST tools miss vulnerabilities while overwhelming teams with false positives. Here's why the silent failures are more dangerous than the noise.

New research shows that AI-generated code becomes less secure with each iteration—highlighting why developers need guardrails and structured approaches.

Shift-left security programs are failing and SAST is partly to blame. Shifting security down, not left, is how we make it work for developers.

Static analysis promised scalable secure coding. Instead, it delivered false positives and fatigue. Here’s why—and what the next era of analysis must do differently.

Learn about CVE-2025-53967, a high-severity RCE vulnerability in Framelink Figma MCP, including mitigation and vetting recommendations.

Discover how agentic UX streamlines application security workflows with proactive automation, faster decisions, and a more intuitive experience.

Block risky npm releases before they spread. Endor Labs’ new cooldown policy enforces wait times to stop malware attacks.

Enterprises must extend Zero Trust security principles to open source: assume nothing is safe, verify every dependency, and enforce guardrails across the software supply chain.

Too often, malware isn’t a priority until there’s a high-profile attack. But with the recent escalation of attacks, it’s time to make malware a first-party citizen in application security programs.