Tag: devsecops
36 articles

DevSecOps Becomes Essential for Modern Government IT
As AI-assisted development accelerates delivery timelines, it's also introducing new risks, with vulnerability disclosures related to AI-assisted development skyrocketing in 2026 and leaving security leaders scrambling to harden defenses. With adversaries using AI to fuel attacks, the need for DevSecOps has never been more pressing.

GitHub Actions Expose Vulnerability in CI/CD Pipelines
A single misstep in a GitHub Actions workflow can become a four-step chain to permanent credential exposure, putting your entire CI/CD pipeline at risk. Researchers have uncovered a class of vulnerabilities, dubbed Cordyceps, that can be exploited in a surprisingly simple way.

GitHub Bolsters Supply Chain Security by Blocking Pwn Request Patterns
GitHub is stepping up its game to protect your code by blocking common attack patterns on pull requests, helping to prevent security vulnerabilities from untrusted code. As of June 18, 2026, its actions/checkout v7 will refuse risky fork checkouts by default, keeping your workflows safer from attacker-controlled code.

CISOs Face Pressure to Deploy Vulnerable Code
The harsh reality is that 95% of CISOs face pressure to downplay or delay reporting security issues, leading to a staggering 75% of organizations deploying vulnerable code into production environments. It's a precarious situation that demands a new approach to prioritize security without sacrificing business goals.

AI Coding Tools Require Embedded Security to Counter Emerging Risks
Security can't keep pace with AI coding tools unless it's embedded from the start - after all, with hundreds of daily code changes, it can't be a bolt-on activity that happens after the fact. It needs to be a fundamental part of the creation process itself.

GitHub Discloses Breach from Poisoned VS Code Extension
GitHub swiftly detected and contained a security breach that originated from a tainted Visual Studio Code extension, taking immediate action to remove the malicious version and isolate the affected endpoint. The breach appears to be limited to GitHub's internal repositories, with the company rotating critical secrets and conducting a thorough investigation.

Microsoft Unveils AI-Powered Red Teaming Tools to Bolster Software Security
Microsoft is shifting the conversation around AI safety from philosophical debates to hands-on action, empowering developers to build more secure software with innovative tools. With the launch of Rampart, a cutting-edge red-teaming tool, the company is putting AI-powered security into practice, helping developers proactively identify and fix vulnerabilities.

GitHub Actions Supply Chain Attack Exfiltrates CI/CD Credentials
A sneaky supply chain attack on GitHub Actions has led to the theft of CI/CD credentials, with hackers using a clever trick to redirect tags to fake commits that hide malicious code. By masquerading as legitimate commits, attackers were able to execute arbitrary code and evade pull request reviews.

Mini Shai-Hulud Worm Targets Multiple AI, Dev Packages
Meet the Mini Shai-Hulud worm, a sneaky new malware that's infiltrating AI and development packages through a clever supply-chain attack. This malicious code can steal sensitive data from cloud providers, cryptocurrency wallets, and even popular dev tools like GitHub Actions.

TeamPCP Breaches Checkmarx Jenkins Plugin Again
If you're using the Checkmarx Jenkins AST plugin, make sure you're on a safe footing by using version 2.0.13-829.vc72453fa_1c16 or earlier, published on December 17, 2025, as newer versions may be vulnerable. Checkmarx has since released a patched version, 2.0.13-848.v76e89de8a_053, available on GitHub and the Jenkins Marketplace.

Supply-Chain Attack Targets Security, Dev Tools with Credential Theft
Malicious hackers are exploiting the very tools developers rely on, including security scanners and password managers, to steal sensitive credentials and gain unauthorized access. This latest supply-chain attack has already hit major players like Checkmarx, compromising their GitHub repository and potentially putting customer data at risk.

Checkmarx KICS Tool Compromised in Supply-Chain Breach
A critical vulnerability was discovered in the Checkmarx KICS tool due to a supply-chain breach, where a malicious Docker image was briefly hosted on DockerHub, exposing users to potential security risks between April 22, 2026, 14:17:59 UTC and 15:41:31 UTC. The breach was quickly identified and rectified, with affected tags restored and malicious images removed.

Firms Scramble to Secure AI-Generated Code
As AI-generated code becomes more prevalent, a pressing question emerges: how much attention should security teams give to code produced by artificial intelligence? The surprising answer: a lot, with 58% of organizations dedicating over 10 hours a month to securing it.

Vulnerabilities Surge as Velocity Gap Widens in AI-Driven Development
The alarming truth: while alert volume grew by 52% year-over-year, prioritized critical risks exploded by nearly 400% in just 90 days, leaving defenders scrambling to keep up with a tsunami of high-impact problems. A new dataset from OX Security reveals this velocity gap in AI-driven development, where the noise is rising - but it's the critical risks that should give defenders pause.

LiteLLM Exploit Turns Dev Machines into Hacker Credential Hubs
Your developer's workstation is the secret Achilles' heel of your enterprise, unwittingly morphing into a credential hub where sensitive authentication material is created, tested, and reused - making it a prime target for hackers. A recent exploit, dubbed LiteLLM, has already shown how these machines can be turned into treasure troves for threat actors.

Qodo Raises $70M to Mitigate AI Code Risks with Governance Platform
As businesses increasingly turn to AI to generate production code, a pressing question emerges: who will be accountable when machines write the software that runs our critical systems? With AI-generated code comes a new set of risks - bugs, security threats, and noncompliance - that governance gaps must address to ensure speed and scale don't compromise safety and reliability.

Malware Alert: Critical Axios NPM Hack Spreads Devastating Cross-Platform Threats
A critical security breach has hit Axios, a widely-used JavaScript library with over 100 million weekly downloads, leaving developers and users vulnerable to devastating cross-platform threats. This shocking incident raises a crucial question: can even the most trusted software sources be considered secure?

Anthropic Must-Have Claude Code Security, Best for Devs
Anthropic’s Claude Code Security can speed up reviews by spotting insecure calls, misconfigs and even running snippets to prove fixes—an irresistible time-saver for busy dev teams. Just don’t hand it free rein: code execution and automation change the threat model, so strong sandboxing and secret controls are essential.

DoD Cloud Modernization Exclusive: Effortless Security
DoD Cloud Modernization can deliver faster decisions, resilient logistics, and stronger security—but only if we stop equating lift-and-shift with modernization. Re-architecting apps, automating defenses, and embracing DevSecOps will turn cloud promise into real protection for soldiers, allies, and critical supply chains.

SecAlerts Exclusive: Fast, Easy Vulnerability Tracking
Cut through the noise with SecAlerts: fast, easy vulnerability tracking that flags the risks that matter and helps your team patch them before they become problems.

New npm Malware Campaign Exclusive: Severe Crypto Redirects
When the libraries you trust become trapdoors, developers are in for a rude awakening: a new npm malware campaign by dino_reborn hides in seven packages and uses cloaking and fake CAPTCHAs to selectively redirect victims to cryptocurrency phishing flows. This supply‑chain‑style attack evades scanners by activating only under certain conditions, turning convenience into a costly risk.

Secure Cloud Workloads: Exclusive Best Practices at Scale
Dont let one wrong permission undo your cloud gains—learn the identity-first, Zero Trust practices top teams use to secure cloud workloads at scale. This practical guide delivers clear, scalable steps to balance speed, cost and risk.

Full Lifecycle COTS AI: Must-Have, Affordable Wins
Skip the custom headaches: Full Lifecycle COTS AI delivers affordable, end-to-end platforms with built-in compliance and vendor support so agencies can cut risk, speed deployment, and focus on mission results.

Self-Replicating Worm Hits 180+ Packages: Exclusive Danger
A fast-spreading self-replicating worm has already infected 180+ packages—our exclusive breakdown reveals how it spreads, who’s at risk, and the quick steps you can take to protect your projects.