Security

Researchers at the University of Toronto have demonstrated a working proof-of-concept: an AI worm that autonomously reasons about its environment, generates attack strategies, and replicates itself without human intervention. It operates entirely on open-weight local models. This is no longer theoretical.

Anthropic released an open-source framework for automated vulnerability discovery powered by AI. This represents a fundamental shift in how security analysis can scale — from manual expert review to AI-assisted code hardening at development time.

A massive npm supply chain attack compromised TanStack, Mistral AI’s client library, and over 170 packages. Here’s what happened, how the attack worked, and the practical steps you should take today to protect your projects.

A Dune-themed malware campaign targeting the PyTorch Lightning library highlights how AI/ML supply chains are becoming prime targets for sophisticated attacks.

Nearly two years after the xz Utils backdoor shocked the open source world, the supply chain security landscape has changed — but not enough.

Supply chain security frameworks like SLSA and SBOM requirements are moving from recommendations to mandates. Here’s what developers need to know about the shifting landscape.

NIST’s post-quantum cryptography standards are finalized, and the migration timeline is no longer theoretical — it’s operational.

A supply chain attack on the popular Ultralytics YOLO package highlights the persistent vulnerability of the Python ecosystem’s distribution pipeline.

November’s Patch Tuesday brought critical zero-days being actively exploited, reminding us that patch management is still the unglamorous foundation of security.

CISA’s Secure by Design initiative is moving from voluntary pledges to measurable industry impact, and software vendors are starting to feel the pressure.

The EU’s latest push to scan encrypted messages reignites the fundamental debate about whether governments can mandate backdoors without destroying security for everyone.