The recent NPM supply chain attack was a wake-up call for the entire software industry. Hackers managed to slip malicious code into widely used open-source libraries. Within hours, those “bad blocks” were downloaded billions of times and silently built into applications around the globe.

In July 2025, the npm package 'is' — downloaded over 2.8 million times per week was compromised via a phishing attack. The attackers created a fake npm domain and tricked the maintainer into giving up credentials, allowing them to upload malware-laced versions.

June 2025 has exposed a new wave of attacks on the open-source ecosystem - one that’s catching developers and organizations off guard. Over the last several weeks, security researchers have uncovered a disturbing trend: malicious packages being uploaded to popular registries like npm, PyPI, and RubyGems, with the goal of stealing credentials, draining cryptocurrency wallets, and even wiping out entire application directories.

In March 2025, the cybersecurity community was rocked by a significant supply chain attack targeting a popular third-party GitHub Action, tj-actions/changed-files. This incident, tracked as CVE-2025-30066, has exposed vulnerabilities in up to 23,000 repositories.

The Reserve Bank of India (RBI) has issued Master Directions on cyber resilience and digital payment system controls emphasizing a "Secure by Design" approach under application security for digital payment systems. This directive underscores the growing importance of robust security measures in India's fast-growing digital payments landscape. It also marks a significant shift toward integrating security at every stage of the software development lifecycle (SDLC). This isn't merely a compliance checkbox; it's a fundamental necessity in today's threat landscape. This blog explores the technical complexities of implementing the framework, addressing key challenges, and presenting CleanStart as a robust solution.

After engaging with hundreds of CISOs worldwide, it has become evident that the role of the CISO is undergoing a significant transformation. As organizations increasingly evolve into technology-centric entities, the traditional network-focused security approach is no longer adequate.

A security vulnerability, CVE-2025-23359, has been identified in the NVIDIA Container Toolkit. This is a bypass of the original patch for CVE-2024-0132. The vulnerability was discovered by Wiz Research.

In February 2024, the JavaScript community faced another significant supply chain security incident when the popular lottie-player package was compromised. This attack serves as a stark reminder of the vulnerabilities in our modern software supply chain and the importance of maintaining robust security practices. Let’s dive into what happened, its implications, and how developers and organizations can protect themselves against similar threats.

In today's cloud-native world, containers have become the building blocks of modern applications. Yet, beneath the surface of this technological revolution lurks a critical security challenge that many enterprises overlook – the security of their base container images.

Open-source software (OSS) has become a cornerstone of modern technology, driving innovation and collaboration across industries. From its humble beginnings to its current widespread adoption, OSS has transformed the tech landscape. This blog explores the journey of open-source software, its current state, and what the future holds.

In today's rapidly evolving landscape of containerized applications, ensuring the integrity and authenticity of container images has become paramount. Container image signing is a crucial security practice that addresses these concerns, providing a robust mechanism to verify the origin and integrity of container images throughout the software supply chain

In the world of software development, open source and container technologies have revolutionized the way we build, deploy, and manage applications. However, several myths persist about their security and usage. Let’s debunk some of these common misconceptions. In the realm of software development, open source and container technologies have transformed the way applications are built, deployed, and managed. Despite their widespread adoption, several myths about their security and usage persist. This article aims to debunk these common misconceptions and provide a clearer understanding of the realities.

In today’s digital landscape, securing the software supply chain has become a critical priority. With the increasing complexity of software development and deployment, ensuring the integrity and security of software artifacts is paramount. This is where SLSA (Supply Chain Levels for Software Artifacts) comes into play.

The recent discovery of a critical vulnerability in NVIDIA’s Container Toolkit (CVE-2024-0132) has sent shockwaves through the AI and DevOps communities. This vulnerability serves as a stark reminder of the hidden dangers lurking within our AI infrastructure. Here, we delve into the key lessons learned and the steps that AI practitioners and DevOps teams must take to safeguard their systems.

In today's digital world, software supply chains are constantly under attack, which you often hear about in the news. At Triam Security, we believe developers shouldn't have to slow down to make things secure. We're all about finding new ways to make sure software stays safe without getting in the way of getting things done quickly. Whether you're just starting out or you're already deep into development, we're here to help every step of the way, offering support and expertise.