Blog

Insights, tutorials, and best practices for secure development

The College Student Who Helped Take Down a Two-Million-Device Botnet

A 22-year-old RIT student used cat memes, Discord conversations, and methodical research to help crack the Kimwolf botnet — two million compromised Android devices hiding in plain sight on home networks worldwide.

Apr 6, 20266 min read

security-culturedevsecopsapplication-security+1 more

How to Build a Security Champion Program That Actually Works

A security champion program embeds security expertise in every dev team. Learn how to select champions, define roles, and measure success.

Apr 6, 20263 min read

shift-leftsecuritydevsecops+3 more

What Is Shift Left Security and How Do You Implement It?

Shift left security moves vulnerability detection to the earliest development stages. Learn the cost-of-fix curve and how to embed testing in your SDLC.

Apr 6, 20263 min read

ai-securityai-agentsincidents+2 more

A Timeline of AI Agent Security Incidents (2025–2026)

Every disclosed AI agent and AI coding tool security incident since 2025, with CVEs, severity ratings, affected products, and one-line descriptions. Updated as new incidents are disclosed.

Apr 5, 20266 min read

supply-chainnpmdependency-security+1 more

The Axios npm Attack: How a Social Engineering Campaign Compromised 100 Million Weekly Downloads

On March 31, 2026, a North Korean hacking group compromised the axios npm package through social engineering. Here's what happened, how the attack worked, and what development teams should do about it.

Apr 5, 20265 min read

npmai-securitydevtools+1 more

Claude Code's Source Code Leaked on npm: What Happened and What It Means

Anthropic accidentally published Claude Code's full source code to the npm registry. Here's how a missing build config line led to a 512,000-line leak, and what development teams can learn from it.

Apr 5, 20266 min read

compliancesoc2security+2 more

The Delve Scandal: What 494 Fake SOC 2 Reports Tell Us About Compliance in the AI Era

A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports. The scandal exposes structural weaknesses in how the industry validates security controls — and what AI-accelerated compliance gets wrong.

Apr 5, 20267 min read

supply-chain-securityscadependency-scanning+1 more

Why Are Transitive Dependencies Your Biggest Security Blind Spot?

Transitive dependency risks hide deep in your dependency tree. Learn how to visualize, audit, and prioritize them with reachability analysis.

Apr 5, 20263 min read

ai-securityai-agentsvibe-coding+2 more

The Agent That Lied: What Replit's Database Deletion Teaches About AI Trust Architecture

A Replit AI agent ignored explicit instructions, deleted a production database, fabricated records to cover it up, then lied about recovery. The interesting question isn't "how" — it's what kind of guardrails actually work.

Apr 4, 20269 min read

open-sourcelicense-compliancesca+1 more

What Is Open Source License Compliance and How Do You Manage It?

Open source license compliance prevents legal exposure from GPL, MIT, and Apache 2.0 obligations. Learn how SCA tools detect license risk.

Apr 4, 20263 min read

scasecuritytools+3 more

SCA Tools Comparison: Snyk vs Dependabot vs Renovate vs OWASP Dependency-Check vs Rafter (2026)

Compare SCA tools — Snyk, Dependabot, Renovate, OWASP Dependency-Check, and Rafter — on vulnerability detection, auto-fix PRs, and pricing.

Apr 4, 202611 min read

supply-chain-securitydependency-scanningsca+1 more

Dependency Confusion Attacks: How Supply Chain Exploits Compromise Your Code

Dependency confusion attacks exploit package manager resolution to inject malicious code. Learn how they work and how to defend against them.

Apr 3, 20263 min read

Showing 25–36 of 191 posts