Blog

Endor Labs reveals critical RCE flaws in Happy DOM, showing how weak JavaScript sandboxes enable prototype pollution and unsafe code execution in Node.js.

Endor Labs now offers native support for OWASP SPVS, helping teams secure every stage of the software delivery pipeline from Plan to Operate.

The 2025 update to the OWASP Top 10 for Web Applications elevated software supply chain failures to the third leading risk.

Critical SQL Injection Vulnerability in Django (CVE-2025-64459). Learn what happened, root cause, impact, and how to mitigate.

Traditional SAST tools miss vulnerabilities while overwhelming teams with false positives. Here's why the silent failures are more dangerous than the noise.

New research shows that AI-generated code becomes less secure with each iteration—highlighting why developers need guardrails and structured approaches.

Shift-left security programs are failing and SAST is partly to blame. Shifting security down, not left, is how we make it work for developers.

Static analysis promised scalable secure coding. Instead, it delivered false positives and fatigue. Here’s why—and what the next era of analysis must do differently.

Learn about CVE-2025-53967, a high-severity RCE vulnerability in Framelink Figma MCP, including mitigation and vetting recommendations.

Discover how agentic UX streamlines application security workflows with proactive automation, faster decisions, and a more intuitive experience.

Block risky npm releases before they spread. Endor Labs’ new cooldown policy enforces wait times to stop malware attacks.

Enterprises must extend Zero Trust security principles to open source: assume nothing is safe, verify every dependency, and enforce guardrails across the software supply chain.

Too often, malware isn’t a priority until there’s a high-profile attack. But with the recent escalation of attacks, it’s time to make malware a first-party citizen in application security programs.

Practical steps security teams and developers can take to reduce risks from software supply chain attacks targeting the npm registry.

A virus-like npm malware attack has spread to 180+ packages so far, including CrowdStrike and Tinycolor.

AppSec company’s rapid growth reflects rising demand for security built for the speed and scale of engineering teams shaping the future of software with AI

Popular npm packages including chalk and debug were compromised in a major supply chain attack. Learn what happened, root cause, impact, and how to mitigate.

Nx supply chain attack: malicious npm versions of Nx exfiltrated SSH keys and tokens to GitHub—abusing AI code assistants. Learn how to detect and fix.

Endor Labs improves C/C++ SCA by combining cryptographic hashing, code embeddings, and a curated index for accurate dependency and vulnerability detection.

Kudelski Security uncovered an RCE flaw in CodeRabbit exposing 1M+ repos. Here’s what happened, how it was fixed, and key lessons for secure AI apps.

Unvetted AI models and services are entering your codebase. Do you have a plan to find and govern them?

Greg Pettengill, a Principal Product Security Engineer at Five9, is an early adopter of startup technology. In this article he shares his methodology for picking vendors that can deliver on promises.

Endor Labs now detects end-of-life (EOL) software in containers, helping AppSec teams eliminate risk early.

Learn about the most common and emerging security risks of AI-generated code, from injection flaws to hallucinated dependencies.

Developers are generating more code with AI coding assistants, but release velocity isn’t increasing. Here’s how to fix it.