Skip to content

// #software-development-security

0 articles

← All tags

Commentary tagged #software-development-security

Opinion

Developer Credentials Are the New Supply Chain Entry Point and the Industry Has Not Caught Up

QLNX's Linux RAT specifically harvests npm tokens, PyPI credentials, and cloud provider keys to enable malicious package publishing under the compromised developer's identity. This is not a new threat — it is a threat that has been escalating systematically for three years while the defensive response has been fragmented. The combination of credential-based package publishing and minimal post-publish scrutiny makes the developer credential the most valuable initial access target in software supply chain attacks.

CipherWatch Editorial

Security Intelligence Platform
Opinion

AI Inference Frameworks Are a First-Class Attack Surface — and Most Enterprises Are Treating Them Like Research Tools

Two critical AI inference framework vulnerabilities disclosed this week — one exploited within 13 hours, one scoring CVSS 9.8 — reveal an uncomfortable truth: the AI toolchain has become enterprise infrastructure, but most security programmes are still treating it like a research curiosity. That gap is now being actively exploited.

CipherWatch Editorial

Security Intelligence Platform
Opinion

AI Infrastructure Is Accumulating Security Debt Faster Than Anyone Admits

LangFlow's actively exploited remote code execution vulnerability and this week's LiteLLM supply chain attack are not isolated incidents — they are early symptoms of an ecosystem that has scaled faster than its security practices. Organisations deploying AI infrastructure are inheriting technical debt they have not yet been asked to account for.

CipherWatch Editorial

Security Intelligence Platform
Opinion

Your CI/CD Pipeline Is Now a Primary Attack Surface

Two supply chain attacks this week — one against a widely-used vulnerability scanner, another poisoning an AI framework via PyPI — targeted the tools developers trust without question. CI/CD pipelines and open-source tooling are not peripheral attack surfaces. They are the path of least resistance into production.

CipherWatch Editorial

Security Intelligence Platform