Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Version 2026.4.0 of the widely-used @bitwarden/cli npm package (78,000 weekly downloads) has been identified as malicious. The package contains a sophisticated multi-stage credential theft worm that explicitly names itself "Shai-Hulud: The Third Coming", a direct callback to previous Shai-Hulud supply chain campaigns, and targets developer credentials including SSH keys, cloud secrets, and even MCP configuration files.

Mailcow is a widely used self-hosted and open source email server that hosts everything you'd need to manage mailboxes yourself. To assess its security, we set up a local instance and ran our AI pentesting agents against it. We found three XSS vulnerabilities, including a critical vulnerability that allowed unauthenticated attackers to take over administrator accounts while looking at their logs in the UI. Gaining access to a mailbox can have a serious security impact.

It’s been a chaotic few weeks for Axios. First, a major supply chain attack put the package under scrutiny. Then, just days later, headlines started appearing about a “critical 10/10 vulnerability” that could lead to full cloud compromise. If you’ve read the coverage, you’ve probably seen claims like: That sounds bad. But when you look closely at how this vulnerability actually behaves in real environments, the story changes.

Bug bounty has been a very hot topic lately. We’re seeing high-profile programs go offline or fundamentally change: the IBB (one of the most important programs for open-source programs) is pausing submissions, curl is removing payouts and Node.js is removing its bounty entirely. That’s not noise, that's signal.

Hoppscotch is an open-source API development ecosystem, similar to Postman, with over 100,000 monthly users. Two weeks ago, we set up a self-hosted instance and ran our AI pentest agents against it. They found two high-severity vulnerabilities and one medium-severity vulnerability, all present in versions up to and including 2026.2.1, and all patched in 2026.3.0: All three were responsibly disclosed and have been resolved. Note: We accidentally grouped the XSS and an Access Control issue into one report.