Open Source Vulnerability Management at Build Time
Open source vulnerability management at build time means inspecting and enforcing policy on every open source package the moment it enters your CI/CD pipeline, rather than scanning code only before or after a build runs. Open source makes up the majority of most modern codebases, and the riskiest moment comes when those dependencies get pulled […]
The Complete Application Security Stack Guide For 2026
A modern application security stack rests on four foundational categories (code security or SAST, dependency security or SCA, runtime security or DAST/RASP, and infrastructure security) plus a fifth layer that most organizations are missing: build-time security, also known as a Build Application Firewall (BAF). Each layer covers a different attack surface, and no single tool […]
Red Hat npm Supply Chain Attack: Miasma Hits @redhat-cloud-services
Date Observed: June 1, 2026Ecosystem: npm @redhat-cloud-services Targets: CI/CD pipelines and developer workstations consuming @redhat-cloud-services packages Attack Type: CI/CD pipeline compromise; preinstall hook injection; multi-stage credential theft; worm propagation Impact: At least 32 @redhat-cloud-services packages / 96 malicious versions were backdoored; multi-cloud credential theft (GitHub Actions, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, CircleCI); downstream propagation capability; ~80,000 cumulative […]
Microsoft’s Durabletask PyPI Attack: Mini Shai-Hulud Saga Continues.
Date Observed: May 19, 2026Ecosystem: PyPI (Python)Targets: CI/CD runners, cloud workloads, Kubernetes clusters, developer environments consuming durabletaskAttack Type: Supply chain compromise via stolen PyPI publishing token; import-time malicious loader with multi-stage payloadImpact: Multi-cloud credential theft (AWS, Azure, GCP, Kubernetes, HashiCorp Vault, password managers); lateral movement via AWS SSM and kubectl exec; geotargeted disk wiper; persistent […]
Mini Shai-Hulud Hits @antV: Here We Go Again
Date Observed: May 19, 2026Ecosystem: npm (Node.js)Targets: @antV data visualization packages, echarts-for-react, timeago.js, size-sensor, canvas-nest.js, CI/CD pipelines, developer workstations.Attack Type: Maintainer account compromise, preinstall hook injection, optionalDependencies abuse, npm worm propagationImpact: 639 malicious package versions across 323 npm packages; 2,700+ GitHub exfiltration repositories created; cloud credentials, tokens, and SSH keys stolen Key Takeaways The npm […]
What Is a Build Application Firewall?
TL;DR A Build Application Firewall (BAF) does for CI/CD pipelines what a WAF does for web applications: it sits inline, inspects live traffic, and enforces policy in real time. WAFs became mainstream because traditional network firewalls could not see application-layer attacks. BAFs address the same kind of visibility and enforcement gap in CI/CD, where pipelines […]
TanStack npm Supply Chain Attack: Mini Shai-Hulud Returns
Date Observed: May 11, 2026Ecosystem: npm, PyPITargets: Developers using @tanstack/react-router and related packages; UiPath, Mistral AI, OpenSearch, and Guardrails AI usersAttack Type: GitHub Actions cache poisoning, OIDC token extraction from runner memory, npm worm self-propagationImpact: 84 malicious package versions across 42 @tanstack/* npm packages; PyPI packages also compromised; credentials stolen from GitHub, AWS, GCP, Kubernetes, […]
BufferZoneCorp Supply Chain Attack Hits Ruby and Go
Date Observed: Late April 2026Ecosystem: RubyGems and Go ModulesTargets: Developers, CI runners, and GitHub Actions pipelinesAttack Type: Malicious package campaign, credential theft, CI poisoning, and SSH persistenceImpact: Secret exposure, build tampering, poisoned dependency resolution, and possible long-term runner access Key Takeaways The BufferZoneCorp campaign targeted developer systems and CI environments with Ruby gems and Go […]
What Is Build-Time Security for CI/CD Pipelines?
TL;DR A CI/CD pipeline is privileged, networked, and often executes third-party packages, scripts, actions, containers, or build tools as software is assembled. Traditional AppSec tools such as SAST, SCA, and DAST help secure source code, dependencies, and deployed applications, but they do not fully monitor or control what happens while the build itself is running. […]
Build-Time Security: The Missing Layer in Application Security
TL;DR AppSec tools cover code (SAST), dependencies (SCA), and deployed applications (DAST), but most do not monitor and enforce policy on live build execution, the phase where secrets are available, egress is open, and dependencies execute. Recent attacks involving Axios, TeamPCP, and the Bitwarden CLI npm compromise show how attackers exploit this blind spot. Build-time […]