
When Malware Argues With Your AI Scanner
A credential stealer hid a prompt injection telling AI scanners the package is clean. The flip side worries me more: malware that makes the AI look away.
Insights, tutorials, and best practices for secure development

A credential stealer hid a prompt injection telling AI scanners the package is clean. The flip side worries me more: malware that makes the AI look away.

Rafter is now installable from the GitHub Marketplace. Add the Action to your workflow and Rafter scans the repo in CI on every push — dependency and supply-chain findings, secrets, and a security score, at the exact moment a vibe-coded prototype becomes real code that needs scanning.

Stripe API key security and best practices 2026: key types, sk_live_ vs sk_test_, restricted keys, rotation, and catching leaks before attackers do.

TrapDoor hid invisible instructions in CLAUDE.md and .cursorrules so coding agents could be tricked into running a fake security scan and exfiltrating developer secrets. The agent-instruction file is now part of your attack surface. Here's the attack and the defense.

Gitleaks vs TruffleHog for 2026 — detection method, speed, pre-commit and CI fit, false positives, and which secret scanner to choose for your team.

Semgrep vs SonarQube compared on custom rules, taint analysis for injection, language coverage, CI/CD fit, and pricing — with a clear pick by team profile.

How vibe-coded apps fail at error handling — and the exact prompts to fix unhandled exceptions, null derefs, and resource leaks in AI-generated code.

On April 29, 2026, Instructure detected unauthorized activity in Canvas. By May 7, the same actor had defaced login pages at multiple institutions. ShinyHunters claims data on 275 million users across 8,809 institutions and has set May 12 as a leak deadline. The data scope is narrow — names, emails, student IDs, Canvas messages — and that is precisely what makes the second-order phishing wave dangerous.

Zach Rice — the creator of Gitleaks — shipped a new scanner called Betterleaks. It uses byte-pair encoding token efficiency instead of Shannon entropy and lifts recall from 70.4% to 98.6% on the CredData benchmark. Here's what that actually means.

On April 30, 2026, two malicious versions of the PyPI package lightning — 2.6.2 and 2.6.3 — were published with credential-stealing code that activates on import. The package backs PyTorch Lightning, a 31,000-star AI-training library. The detail worth stopping on: every poisoned commit the worm pushes to victim repositories is authored under a hardcoded identity designed to impersonate Anthropic's Claude Code.

Compare the top vulnerability scanning tools for 2026. See how Snyk, SonarQube, Semgrep, CodeQL, GitHub Advanced Security, and Rafter stack up on accuracy, speed, language support, and pricing.

On April 26, 2026, Robinhood's own mail infrastructure sent phishing emails to its own users. SPF, DKIM, and DMARC all passed. The malicious HTML and phishing URL were interpolated into the email body by an unsanitized device-name field during the attacker's signup flow. Humans noticed on a careful read. Inbox-reading AI agents — built to trust the signed channel and act on what's inside — won't.
Showing 1–12 of 199 posts