AppSec Briefing
A briefing on application security developments — supply chain attacks, AI code risks, DevSecOps tooling, and how engineering teams are securing their software pipelines.
Subscribe to receive new issues
Recent Issues
Valid signatures now guarantee nothing
Signed Binaries Weaponized: DAEMON Tools Supply Chain, DigiCert EV Cert Theft DAEMON Tools versions 12.5.0.2421–12.5.0.2434 have been trojanized since April 8 — all compromised binaries (D
Your AI tools are now the attack surface
Cursor CVE-2026-26268: Git Hook RCE; Cursor Security Review and Claude Security Ship the Same Day CVE-2026-26268 in Cursor chains Git hooks and bare repositories to execute attacker scripts
AI exploits KEV vulns in 21 minutes now
Mini Shai-Hulud Hits PyPI and Packagist: Lightning, Intercom, 1,800 Developers Compromised Lightning 2.6.2 and 2.6.3 are malicious — safe version is 2.6.1: on import, start.py downloads t
Your AI tools are now the attack surface
Mini Shai-Hulud: SAP CAP npm Packages Compromised, Claude Code Sessions Weaponized as Persistence Hook Four SAP CAP Framework npm packages were trojanized April 29: @cap-js/sqlite@2.2.2,
36 hours from advisory to exploit
LiteLLM Pre-Auth SQLi Exploited in 36 Hours; GitHub git-Push RCE Left 88% of GHES Unpatched CVE-2026-42208 (CVSS 9.3) — distinct from the March supply chain attack — is a pre-auth SQL injectio
Your most trusted dev tools are the target
Supply Chain: elementary-data PyPI, 73 GlassWorm VSX Clones, Checkmarx Data Confirmed elementary-data==0.23.3 is malicious — remove immediately: a 2-day-old GitHub account posted a curl
Your AI tools are now the supply chain
Shai-Hulud Full Anatomy: Bun Runtime Drop, GitHub Dead-Drop C2, New Unit 42 IOCs Unit 42 published the full Shai-Hulud breakdown(https://www.paloaltonetworks.com/blog/cloud-security/bitwarden
3 ecosystems breached in 48 hours, rotate now
Three Ecosystems Hit in 48 Hours: Checkmarx KICS, Bitwarden CLI, xinference TeamPCP compromised Checkmarx KICS Docker Hub and VS Code extensions (April 22): malicious tags v2.1.20 and al
Dependabot just became the attack vector
Shai-Hulud Post-Mortem: Dependabot Was the Vector, Six AI Tools Named, KICS Shares C2 Dependabot is the confirmed initial access vector in at least one victim environment: GitGuardian's po
npm worm that spreads itself across ecosystems
Namastex npm CanisterWorm: 16 Packages, Recursive Token Theft, Cross-Ecosystem Spread 16 Namastex Labs npm packages confirmed compromised — including @automagik/genie, pgserve, and @fa
More from Oria
Is AI replacing humans on job markets?
With surging AI investments and automation capabilities, is the job market facing mass displacement or new opportunities? We analyze AI's dual impact on headcount, exploring the paradox of job destruction versus creation.
Agentic software development
AI is rapidly transforming the software development lifecycle. This newsletter tracks emerging agentic tools and frameworks, providing enterprise-focused coverage on code generation, governance, deployment, and security from leading tech players and startups.
SRE Briefing
A briefing on site reliability engineering — production incidents, observability developments, AIOps, SLO practices, and how teams are keeping systems reliable.
CI/CD & Release Engineering Briefing
A briefing on CI/CD and release engineering — pipeline tooling, deployment strategies, build optimization, and developer productivity metrics for engineers who own the path from commit to production.
Platform and Infra Briefing
A briefing on platform and infrastructure engineering — Kubernetes, cloud infrastructure, networking, infrastructure as code, and the cloud native ecosystem.
Longevity & Anti-Aging Science
Track the latest breakthroughs in aging research, clinical trials, and longevity science. From age reversal trials and peptide therapies (BPC-157, rapamycin) to stem cell research and NMN studies — curated weekly for people serious about living longer and healthier.
Biohacking Therapies & Devices
Your weekly guide to the tools, therapies, and devices biohackers actually use. Covering red light therapy, cold plunge and sauna science, wearables (Oura, WHOOP, Ultrahuman), and the latest health tracking technology — backed by research, not hype.
Psychedelic Therapy
Follow the rapidly evolving world of psychedelic medicine. From FDA approval pathways and clinical trials to state legalization and cutting-edge brain research — a weekly digest for anyone tracking the psychedelic therapy revolution.