Shai-Hulud, Shai-Hulud 2.0, Trivy, LiteLLM, and now Axios, and many smaller compromises bring us to the realization that existing supply chains are highly vulnerable. A common thread across of these attacks is that once you download and install a compromised package, the usual behavior of the malicious code inside is to steal tokens and other… Continue reading Time to Start Treating Dev Machines as Untrusted
Category: Security
Towards Perfect Vulnerability Management System
Here I would like to summarize my thoughts on what constitutes a perfect vulnerability management system, what frequently gets missed, and what elements we already have in the latest ReARM release. I Not Only Vulnerabilities First of all, a management system should cover all security findings, not only vulnerabilities. That includes things like SAST /… Continue reading Towards Perfect Vulnerability Management System
SBOM Developments for December 2025
Happy New Year 2026! Following my previous post about SBOM developments for July 2025, this is another one about things that happened in the community since. Again, this is mostly for myself as a reference storage but I’m happy if other people find this useful too. 1. ENISA SBOM Landscape Analysis December 2025 – important… Continue reading SBOM Developments for December 2025
My TEA Talk from OWASP 2025 Global AppSec USA
Slides available here.
How to Use ReARM to Check if Shai-Hulud 2.0 Infiltrated Your Dependencies (video)
I recorded a video showing new batch search for SBOM components functionality in ReARM:
My Talk on TEA at KubeCon NA 2025 Pre-event
I was giving another talk on Transparency Exchange API at Open Source SecurityCon 2025 in Atlanta on November 10: “Transparency Exchange API: Where To Find Product SBOM?” The YouTube recording is now live and available below. You can also find slides here.
ReARM Demo Video for SecTor 2025 Arsenal
SBOM Diffing: Next Frontier for Supply Chain Security
I’ve been thinking about continuous SBOM diffing for a while, but the subject appears to be even more important than I initially thought. Yesterday (November 11, 2025) I attended SBOMit workshop which was a part of KubeCon NA 2025. SBOMit is an OpenSSF project which deals with SBOM correctness, validity and verification. Specifically, the demo… Continue reading SBOM Diffing: Next Frontier for Supply Chain Security
My Talk on TEA at BSides Toronto
Below is YouTube recording of my talk “Transparency Exchange API: How We Will Share xBOMs” given on October 4th at BSides Toronto. Slides are available here.
npm Has Become a Russian Roulette
npmjs.org is arguably the world’s largest package repository. In 2022 it was estimated to serve over 43 billion downloads every week. I found no recent estimates, but the number should be much higher today. In the past several weeks, there have been 3 identified large-scale phishing-malware attacks on the npmjs.org: Playing Russian Roulette The common… Continue reading npm Has Become a Russian Roulette