Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The ripple effects of a cyberattack rarely stay contained. Modern organizations rely on vast ecosystems of vendors, suppliers, SaaS providers, and partners. As those connections deepen, so does the potential blast radius of a third-party compromise. What begins as an exposed system or stolen credential inside a vendor environment can quickly cascade across the supply chain. Attackers understand this. Increasingly, they target trusted third parties as an indirect path into larger organizations.

The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.

81% of development teams knowingly ship code with vulnerabilities. That number gets quoted a lot. Usually to make a point about how developers don't take security seriously. Here's a different reading: most of those developers knew the vulnerability was there. They just couldn't do anything about it in time. That's not apathy. That's a system failure. Feature deadlines are usually less flexible than security work.

Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used by employees to streamline workflows. Users can share files with coworkers, which generates a link hosted by Kuse’s domain. In this case, attackers are abusing the share feature to generate legitimate-looking phishing links.

Researchers at Guardo Labs are tracking a major phishing campaign that abused Google AppSheet as a relay to send phishing emails. The researchers identified more than 30,000 Facebook accounts that were compromised by this campaign. Since the emails are sent from Google’s legitimate infrastructure, they’re much more likely to land in users' inboxes.

An active supply chain attack has compromised 323 npm packages published under the atool npm maintainer account. The wave sweeps the entire @antv data-visualization organization alongside standalone libraries with wide independent adoption: echarts-for-react, timeago.js, size-sensor, and canvas-nest.js. With echarts-for-react pulling roughly 1.1 million weekly downloads, any project that auto-updates these packages is in scope.

Design system work follows a well-defined loop: read the ticket, check the Figma spec, find the right component primitives, apply the right tokens, write the Storybook stories, run the tests, open the PR. The steps are consistent enough that when we looked at our design system backlog, we didn't just see a list of tasks; we saw a set of instructions waiting to be executed.

Zero-Shot Learning is a podcast for AI builders, hosted by Nancy Wang, Chief Technology Officer at 1Password, and Dev Tagare, Senior Director and Head of Engineering for Gemini Enterprise & Business at Google. Together, they’ve built and scaled AI systems at the infrastructure and product layers and bring a builder's perspective to every conversation.

In a typical enterprise, non-human identities (NHIs) are thought to outnumber human users by at least 50:1. NHIs are various and include: It is estimated that the NHI: human ratio may have leapt to 144:1 as more AI agents were deployed over the last year. CISOs are already alive to the risks posed by orphaned accounts on their systems. They know that automated rotation is required to revoke privileges as soon as NHIs complete tasks.