Search Results

Anthropic's newest model reaches the highest functional and security scores we've ever measured. But roughly four out of five solutions still ship with vulnerabilities.

The Dangers of Reusing Protobuf Definitions: Critical Code Execution in protobuf.js (GHSA-xq3m-2v4x-88gg)

It's About Thyme: How a Whitespace Character Broke Thymeleaf's Expression Sandbox (CVE-2026-40478)

AI-generated code passes tests but fails security. This report benchmarks agents, exposing a persistent gap between functional correctness and secure outcomes.

AI coding agents can write working code, but mostly not secure code. Explore benchmark results showing over 80% of AI-generated code contains vulnerabilities.

Blockchain-based C2 lets attackers run malware infrastructure that can’t be taken down. Learn how it works, why it’s spreading, and what defenders can still do.

WebSocket pre-auth RCE, confirmed exploited in the wild within 10 hours of disclosure. Tens to hundreds of instances may remain exposed. Upgrade to 0.23.0.

What do security practitioners and software engineers actually fear about open source malware? We asked 605 professionals. Here is what 141 of them said, in their own words.

New Endor Labs research reveals 92% of npm account takeovers occurred in 2025, targeting packages with millions of downloads

Investigating, remediating, and hardening your environment in the wake of the TeamPCP campaign — from an organization that went through the process itself.

TeamPCP Strikes Again: Telnyx Compromised

Lessons in Hardening GitHub Actions

AI has collapsed the cost of offense to pocket change.

Supply Chain Attack on popular PyPI library LiteLLM

AI agents have transformed how software gets built, but they’re introducing risk at a scale humans can’t review. This solution brief shows how AURI by Endor Labs embeds security directly into developer workflows, combining agentic reasoning with deterministic program analysis to enable teams to code without compromise.

The malicious Python package pyronut copies the entire project description and code of the popular pyrogram Telegram framework to pass itself off as the real thing, while silently installing a runtime backdoor that grants the attacker arbitrary Python and shell command execution on every victim's machine.

The Glassworm threat attacker took over the npm account of a maintainer

Endor Labs has partnered with Zscaler to bring Zero Trust to the AI-native software supply chain

The EU Cyber Resilience Act shifts software liability to vendors, requiring continuous vulnerability management and security updates across the product lifecycle.

We detected 88 malicious open source packages on npm

Endor Labs and Cloudsmith combine deep vulnerability intelligence with artifact governance to secure the modern software and AI supply chain.

AURI shifts security into the architecture of agentic coding with free tools for developers and agents to detect vulnerabilities, block malware, and fix security bugs.

We discovered a serious RCE in Ghost CMS

A practical guide for application security teams.

Endor Labs researcher found CVE-2026-27959 in Koa

Anthropic’s announcement of Claude Code Security validates that application security is the critical frontier in agentic software development and cybersecurity.

SANDWORM_MODE: Dissecting a Multi-Stage npm Supply Chain Attack

Critical vulnerability in fast-xml-parser allows injection attacks

How Endor Labs' AI SAST engine identified a path traversal vulnerability in OpenClaw's apply_patch tool tracked as (GHSA-r5fq-947m-xm57)

A compromised release of the popular Cline CLI npm package silently installs OpenClaw globally on any machine.

We discovered six vulnerabilities in OpenClaw using Endor Labs’ AI SAST data flow analysis and validated working exploits.

As CVEs surge and AI speeds delivery, container OS reachability is key to reducing noise and real AppSec risk.

Cut container vulnerability noise by up to 90% with full-stack reachability analysis spanning application and container image OS layers.

How Endor Labs AI SAST identified 7 exploitable vulnerabilities in OpenClaw through accurate data flow analysis and systematic exploit validation.

AI coding assistants are introducing systemic architectural weaknesses that have major consequences for application security.

AI is reshaping software development. Learn how security can become invisible guardrails inside the AI SDLC, so teams move faster without compromising safety.

Use a “test-first” prompting pattern to improve AI-generated code security through test-driven development (TDD).

CVE in n8n allows unauthenticated users to achieve remote code execution (RCE) via sandbox escape.

AI coding assistants are reducing simple security flaws, but SAST tools need better context and agent integration to catch what remains.

Evaluate Snyk alternatives that solve alert fatigue and false positives while driving remediation. Compare developer-friendly AppSec platforms, open source tools, and runtime solutions.

Learn why this malware attack vector is a big risk for open source software consumers.

MCP servers inherit classical vulnerabilities like command injection, path traversal, and SSRF. Here's why LLMs and MCP deserve the same security practices as traditional applications.

101 packages disguised as font files distributed 34 TiB of data via npm's infrastructure—with a total of 4.3 PiB transferred via downloads.

Most breaches aren’t CVEs. Learn how subtle code and config changes caused real incidents, and why AI-aware code review is now critical.

Astronomer uses Endor Labs for SCA, malware detection, and container scanning.

Multiple Vulnerabilities Fixed in the Node.js Runtime

Attackers weaponized n8n's community nodes to steal credentials

Critical Host Header Validation Bypass in the Undertow

Critical vulnerability requires upgrade to jsPDF 4.0.0

Endor Labs integrates with Cursor hooks to detect malicious packages before AI agents install dependencies, preventing supply chain attacks at the moment of risk.

CVE-2025-13780 is a critical vulnerability in pgAdmin 4 where whitespace characters bypass regex filters, a common failure mode in input validation.

Treating a security patch as a signal, not a conclusion, led us to discover how arbitrary file writes became remote code execution in Argo Workflows.

See how Endor Labs brings developer-friendly security to life with real demo clips. Watch how vulnerabilities are prevented, prioritized, and fixed—right inside IDEs, PRs, pipelines, and Jira.

AI coding tools promise speed, but hidden security burdens drain developer productivity. Learn how context-aware AppSec cuts noise, boosts velocity, and improves DX.

React and Next.js contain a critical RCE vulnerability

Rubrik uses Endor Labs for application security, including: SCA, SAST, container scanning, and secret detection.

A breakdown of npm worms, how Shai-Hulud spread across the ecosystem, and the key security practices every team needs to prevent large-scale compromise.

Analysis of Shai-Hulud 2, a new npm supply chain attack

A look at the 2025 update to the OWASP Top 10, the most significant update since 2021

Endor Labs celebrates emerging AppSec talent at OWASP Global AppSec, highlighting Bryce’s Space Badge and investing in his future with a $5,000 scholarship.

Cut through duplicate alerts by mapping findings from static and dynamic analysis, so teams can focus on remediating the vulnerabilities that matter.

This whitepaper details Endor Labs' multi-modal approach to AI SAST, leveraging agentic reasoning, program analysis, and advanced rules to eliminate 95% of false positives while surfacing complex logic flaws.

Endor Labs AI SAST detects business logic flaws and reduces false positives by up to 95% by orchestrating multiple AI agents to review code.

How GlassWorm Exploited Unicode Shadows in VS Code Supply Chains

Together Endor Labs and Upwind deliver complete visibility across code and cloud for strong security posture management across the SLDC.

How a sophisticated spam campaign hijacked popular NPM packages with Indonesian food names as part of a global software supply chain attack.

Endor Labs reveals critical RCE flaws in Happy DOM, showing how weak JavaScript sandboxes enable prototype pollution and unsafe code execution in Node.js.

Endor Labs now offers native support for OWASP SPVS, helping teams secure every stage of the software delivery pipeline from Plan to Operate.

The 2025 update to the OWASP Top 10 for Web Applications elevated software supply chain failures to the third leading risk.

Critical SQL Injection Vulnerability in Django (CVE-2025-64459). Learn what happened, root cause, impact, and how to mitigate.

Traditional SAST tools miss vulnerabilities while overwhelming teams with false positives. Here's why the silent failures are more dangerous than the noise.

AI Coding Agents and Software Supply Chain Risk

New research shows that AI-generated code becomes less secure with each iteration—highlighting why developers need guardrails and structured approaches.

Shift-left security programs are failing and SAST is partly to blame. Shifting security down, not left, is how we make it work for developers.

Static analysis promised scalable secure coding. Instead, it delivered false positives and fatigue. Here’s why—and what the next era of analysis must do differently.

Learn about CVE-2025-53967, a high-severity RCE vulnerability in Framelink Figma MCP, including mitigation and vetting recommendations.

Discover how agentic UX streamlines application security workflows with proactive automation, faster decisions, and a more intuitive experience.

Protect your software supply chain from rising malware attacks. Endor Labs blocks malicious open-source dependencies early and reduces incident response.

Block risky npm releases before they spread. Endor Labs’ new cooldown policy enforces wait times to stop malware attacks.

Enterprises must extend Zero Trust security principles to open source: assume nothing is safe, verify every dependency, and enforce guardrails across the software supply chain.

Too often, malware isn’t a priority until there’s a high-profile attack. But with the recent escalation of attacks, it’s time to make malware a first-party citizen in application security programs.

Learn how Travis McPeak is building an AppSec program that's both effective and non-disruptive to the engineering team's workflow.

As AI reshapes software development, security teams can be the catalyst for unlocking productivity without sacrificing safety.

Practical steps security teams and developers can take to reduce risks from software supply chain attacks targeting the npm registry.

A virus-like npm malware attack has spread to 180+ packages so far, including CrowdStrike and Tinycolor.

AppSec company’s rapid growth reflects rising demand for security built for the speed and scale of engineering teams shaping the future of software with AI

Popular npm packages including chalk and debug were compromised in a major supply chain attack. Learn what happened, root cause, impact, and how to mitigate.

Nx supply chain attack: malicious npm versions of Nx exfiltrated SSH keys and tokens to GitHub—abusing AI code assistants. Learn how to detect and fix.

Endor Labs improves C/C++ SCA by combining cryptographic hashing, code embeddings, and a curated index for accurate dependency and vulnerability detection.

Cursor uses Endor Labs for SCA and dependency management. Learn how they reduced noise, accelerated remediation, and enabled both stable code and focused engineers.

Kudelski Security uncovered an RCE flaw in CodeRabbit exposing 1M+ repos. Here’s what happened, how it was fixed, and key lessons for secure AI apps.

Unvetted AI models and services are entering your codebase. Do you have a plan to find and govern them?