Security research, product updates, and supply chain threat intelligence.
The full post-mortem of the Mercor breach: how a cascading supply chain attack through Trivy and LiteLLM gave Lapsus$ full VPN access to an AI hiring platform trusted by OpenAI and Anthropic.
Read more →How attackers weaponized a trusted vulnerability scanner to hijack 95 million monthly downloads, harvest credentials, and deploy privileged pods across Kubernetes clusters.
Read more →Supply chain attacks are hiding in plain sight. Here's why we built Code Corgi, and how it catches what code review misses.
Read more →The full post-mortem of the CodeWall breach of McKinsey's Lilli: SQL injection in JSON keys, 22 naked endpoints, prompt layer compromise.
Read more →How attackers embed malicious instructions in calendar invites, emails, and documents to hijack AI assistants — and how Calendar Sentry's security patch stops it.
Read more →Vibe-coded applications skip authentication, hardcode secrets, and ship without security headers. API Phantom is a drop-in framework that fixes all of it.
Read more →How a single malicious Google Calendar invite gave attackers control of Gemini's AI assistant, exfiltrated emails, and opened smart home windows — without the victim clicking anything.
Read more →