The question is no longer "Is this software secure?" It's "Can this software be trusted?" Trust should be verified, not assumed. Download your copy of the inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security report here: www.reversinglabs.com/2026-gartner...

npm v12 turns off install script execution by default — the vector Shai-Hulud, Mini Shai-Hulud, and Miasma all relied on. Security experts break down what it fixes and what attackers are already doing instead: www.reversinglabs.com/blog/npm-v12...

Threat actors are using #TikTok & #Instagram tutorials to deliver #Vidarstealer. One video hit 100K views and 1,700 saves — because attackers know which metrics move the algorithm. Research breakdown + IoCs: www.reversinglabs.com/blog/social-... #SocialEngineering #Phishing

48,000 CVEs in 2025. Only 58 posed a real, exploitable threat to enterprise supply chains. "Patch everything" is mathematically dead. The signal that matters: malware, tampering, exposed secrets. Go from noise to signal: www.reversinglabs.com/blog/noise-t... #AppSec #SoftwareSupplyChainSecurity

🚨 Supply Chain Attack Alert! 🚨 31 @redhat-cloud-services hashtag#npm packages backdoored in 72 seconds! ReversingLabs has confirmed a large-scale, coordinated supply chain attack targeting the "@redhat-cloud-services" npm scope.

Megalodon compromised GitHub Actions YAML files across dozens of repos — base64-encoded credential stealer, C2 on RouterHosting LLC. RL retrohunted to a related campaign 2 weeks earlier. Same C2 pattern. Same adversary. IOCs + YARA rule published: hubs.ly/Q04hVW-v0

RL documented 163 samples of the Dirty Frag Linux exploit (formerly Copy Fail), active malware — and developed YARA rules for identification. Patch the kernel. Run the queries. Deploy the rules. The detection gap is now. www.reversinglabs.com/blog/dirtyfr...

Is frontier #AI risk keeping your #AppSec team up at night? Doug Levin shares the facts on #ClaudeMythos. Doug also lays out the case for why a layered #AppSec framework is essential — and what it should look like. 👇 www.reversinglabs.com/blog/how-myt...

A new class of #AI-derived threats is raising red flags: #MCP post-deployment drift ("rug pull") attacks. They exploit trust of agents over time rather than at the initial point of compromise, which requires deeper visibility. Here's what you need to know. hubs.ly/Q04fhLR30

Malware is evolving—and targeting AI workflows. Our research on the PromptMink campaign shows how attackers are abusing AI coding agents like Claude to deliver crypto-stealing malware. This isn’t just prompt injection. It’s supply chain risk in a new form. Read: www.reversinglabs.com/blog/claude-...

It looks like #TeamPCP has again compromised #Checkmarx #VSCode extensions and #Docker images. Newly published VSCode extensions checkmarx.cx-dev-assist (1.17.0 & 1.19.0) and checkmarx.ast-results (2.63.0 & 2.66.0) contain malicious code. secure.software/vscode/packa...

It’s no secret modern #AppDev relies on #OpenSource — what’s catching up is how teams secure it. RL’s free Spectra Assure Community helps teams make smarter decisions about the software they use and ship. 👇 www.reversinglabs.com/blog/why-rl-...

High-end AppSec isn’t just for the Fortune 500. Spectra Assure Community gives devs, AppSec teams & OSS maintainers pro-grade supply chain security insights — without the cost or complexity. Move beyond blind trust 👉 secure.software/user/signup

CTA Member @reversinglabs.com on a fake recruiter campaign: www.reversinglabs.com/blog/graphal... #cybersecurity #scam #fakerecruiter

🚨 New RL #ThreatResearch: The #Graphalgo fake developer recruiter interview campaign is back. RL researchers have uncovered a broader network of fake companies tied to this fake recruiter operation — plus new attacker techniques. Read what the RL team found: www.reversinglabs.com/blog/graphal...

The axios supply chain attack should be front an center for #AppSec teams given it's wide reach. Here's RL's immediate-response checklist — and best practices for ongoing defense. Also learn how RL’s xBOM and Spectra Assure Community can help. 👇 www.reversinglabs.com/blog/axios-a...

At #RSAC, JPMorgan Chase CISO Patrick Opet revisited third-party risk — and the supplier changes that followed. Is your organization learning the lesson on “trust debt”? Learn how to move beyond blind trust: www.reversinglabs.com/blog/opet-jp...

🚨 RL Research Alert! Look out for the compromised versions 1.14.1 and 0.30.4 of axios npm package with almost 11 billion downloads. secure.software/npm/packages...

Look out for compromised versions 4.87.1 and 4.87.2 of telnyx PyPI package with more than 3.75 million downloads. secure.software/pypi/package...

📢 Just dropped: New RL research! 👻 Ghost campaign returns via malicious #npm packages ⚠️ Phishes sudo passwords + hides behind fake install logs 🔍 www.reversinglabs.com/blog/npm-fak... 🛡️ Ask us about it — + Spectra Assure Community — at Booth #4328 #RSAC2026

Security Advisory: our research team is tracking threat actor #TeamPCP, who hacked the #Trivy supply chain and infected over 140 npm packages with self-propagating malware #CanisterWorm. View our platform's analysis of a known infected package here: secure.software/npm/packages...

"Ambiguous package names & fragmented tracking methods leave organizations vulnerable to sophisticated supply chain attacks. By demanding PURLs in your SBOMs, you enforce a strict standard of visibility and accountability" www.reversinglabs.com/blog/why-you... #cybersecurity #SBOM @reversinglabs.com

BSIMM16 reinforces that #AIcoding is the new reality — and it will further destabilize #softwaresupplychainsecurity. So step up your #AppSec. 👇 www.reversinglabs.com/blog/bsimm16...

🚨 RL researchers discovered a malicious package impersonating a legitimate Stripe package on #NuGet — marking a move away from blockchain-related targets while staying focused on financial development tools. Read here: www.reversinglabs.com/blog/malicio...

ReversingLabs' Ashlee Benge shares how to use YARA retrohunting for detection engineering by leverageing RL's dynamic analysis of "pkr_mtsi" for defense in Spectra Analyze. 👉 hubs.ly/Q043qJY-0 #yararules #detectionengineering #malwareanalysis

⚠️ RL #ThreatResearch: A new branch of a fake job recruitment campaign by the NK Lazarus Group, dubbed "graphalgo," is targeting #Javascript & #Python devs with a remote access trojan (RAT). Read more: hubs.ly/Q042HLPR0

⛓️ The recent compromise of Notepad++ underscores supply chain attack method diversification. It also serves as a reminder for why going beyond implicit trust is a must: hubs.ly/Q041-Cb30 #SoftwareSupplyChainSecurity #AppSec #DevSecOps

🤖 #MCP provides a standardized way for #AI agents to connect directly to apps, tools, & data sources. But because they have real authority, they're attractive targets. The new Vulnerable MCP Servers Lab aims to solve this: https://bit.ly/3MaNXAY

Open-source attacks move through normal development workflows 📖 Read more: www.helpnetsecurity.com/2026/02/03/o... #cybersecurity #cybersecuritynews #opensource #supplychain #vulnerabilitymanagement @reversinglabs.com

🪞We looked back on what we predicted the #SoftwareSupplyChainSecurity threat landscape would be in 2025. Here's what we got right — & wrong: https://bit.ly/49UKS19

⛓️‍💥 Former CEO & founder of Black Duck Software Doug Levin writes in his Substack how trust in the reliability of the #SoftwareSupplyChain has sharply deteriorated: https://bit.ly/4qLx66N

🔎 In the latest edition of the RL Researcher's Notebook Series, #malware analyst Robert Simmons offers a deep dive of the recent #EmEditor supply chain compromise: https://bit.ly/4rgniBK

The #StrangerThings concept of the “Upside Down” is a pretty useful way to think about the risks lurking in the software we all rely on. A new report from @reversinglabs.com shines a light into that dark world. #appsec #softwaresupplychain securityledger.com/2026/01/tech...

Open-source malware zeroes in on developer environments 📖 Read more: www.helpnetsecurity.com/2026/01/29/r... #cybersecurity #cybersecuritynews #opensource #malware @reversinglabs.com

🤖 #AI tools are making #Rust a favorite language of devs — even those maintaining codebases like Microsoft’s. Keep reading to learn how #AIcoding bolsters Rust: https://bit.ly/49O7wIs

📣 RL's 4th annual report on the state of #SoftwareSupplyChainSecurity is now available: https://bit.ly/3Fq6F3W #AppSec #DevSecOps

🐍 @python.org announced a 2-year partnership with #Anthropic, which will contribute $1.5 million to support the foundation's security initiatives for #PyPI: https://bit.ly/4a6uvhU

CTA has "helped raise the bar for collaboration across the cybersecurity community, demonstrating that sharing does not weaken competitive advantage — it strengthens collective resilience" @reversinglabs.com tinyurl.com/6xtnck5y #CTA9Years #strongertogether #cybersecurity #threatintelligence

NIST has broadened the Secure Software Development Framework (SSDF) to include the full SDLC. Here's what your #AppSec team needs to know: https://bit.ly/3ZksCbk #DevSecOps #SoftwareSupplyChainSecurity

📝 The Cyber Resilience Act legally obliges software producers to create, maintain, & retain an #SBOM for all products with digital elements marketed within the EU. Here's what you need to know: https://bit.ly/4b4XSSV

🤖 A new report on #AIsecurity from the Cloud Security Alliance finds that enterprise governance of #AI usage & potential threats makes a huge difference: https://bit.ly/459MYrk

🚨New Feature Alert: secure.software now offers free, single click #SBOM delivery in the CycloneDX format. See it in action: app.arcade.software/share/oBBgnr... #Dev #AppSec #DevSecOps

📆 Next Thursday: RL researchers break down real-world campaigns uncovered in the closing months of 2025 across NuGet, PyPI, PowerShell & VS Code: https://bit.ly/4sCIh3f #SoftwareSupplyChainSecurity #Dev #Cybersecurity

⚠️ According to a recent report from the Google Threat Intelligence Group, adversaries are now deploying novel #AI-enabled #malware in active operations: https://bit.ly/45v4FBR #Cybersecurity

⛓️‍💥 Eligibility for #CyberInsurance could hinge on the strength of #SoftwareSupplyChainSecurity & third-party risk management controls: https://bit.ly/3NmbJu5 #Cybersecurity #DevSecOps

🧵Introducing: 🚨New Feature Alert → a series dedicated to RL product updates! This week, we’re excited to unveil a dedicated #Malware page in the RL-SAFE Report: app.arcade.software/share/H7euVM... #SoftwareSupplyChainSecurity #DevSecOps

😵‍💫 #AI technical debt is all the more perilous for being poorly understood. Learn how it forms & can fuel a breach your org can't afford: https://bit.ly/4qHPL3d #AISecurity #Cybersecurity

🔎 In the next installment of the RL Researcher's Notebook series, #malware analyst Rob Simmons unpacks the malicious Windows packer ‘pkr_mtsi’. Read on to learn about it's evolution, & access a #YARA rule for it: https://bit.ly/3YrHvrW #Cybersecurity

⛓️ The open-source SF² presents security scaling as a strategic resource-allocation challenge rather than a staffing problem. Here's how it helps: https://bit.ly/3YijlQz #SoftwareSupplyChainSecurity #DevSecOps #CISO

🤖 As cyber attacks become #AI-optimized & internal AI use rises, enterprises are scrambling to secure files. Here's why your org needs to modernize its #FileSecurity: www.reversinglabs.com/blog/ai-file... #Cybersecurity