Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

LLM red teaming is a proactive security practice that involves systematically testing large language models (LLMs) with adversarial inputs to find vulnerabilities before deployment. By using manual or automated methods to probe for weaknesses, red teamers can identify issues like harmful content generation, bias, or security exploits, which are then addressed through a continuous “break-fix” loop to improve the model’s safety and reliability.

Automated red teaming uses software to simulate cyberattacks and test security defenses, helping organizations find and fix vulnerabilities more efficiently. It automates tasks like credential harvesting, system enumeration, and privilege escalation to test security posture in a continuous, scalable manner. Beyond traditional systems, automated red teaming can also be used for AI systems, where it tests for risks like data poisoning or prompt injection in generative models.

How Mend.io’s ServiceNow integration helps organizations manage application, network, and operational risks together—at scale. Managing AppSec and network risk as separate programs is no longer realistic for enterprise security teams. Today’s digital environments are interconnected, distributed, and constantly changing. A single misconfiguration, unpatched server, or vulnerable open-source component can become a point of exploitation when combined with weaknesses elsewhere in the stack.

During routine monitoring of NPM registry activity, we identified a suspicious pattern involving user sdjkals who has published 10 packages containing what appear to be WOFF2 font files. Initial analysis reveals these are not legitimate font assets. The packages are scoped under @sdjkals/* with version numbers reaching 1.0.1594 and 1.0.1912, indicating extremely rapid republishing cycles, new versions are being pushed every few minutes.

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. The flaw carries a CVSS score of 10.0, the maximum severity rating. What makes this vulnerability particularly dangerous is its simplicity: attackers only need to send a single crafted HTTP request to gain complete control over vulnerable servers. No authentication required. No complex exploit chains. Just one malicious request.

Today, we’re excited to announce the availability of Mend.io’s new integration with Wiz, delivering a powerful Code-to-Cloud security workflow for joint customers. By bringing Mend SAST’s high-accuracy code findings directly into the Wiz platform, organizations can now unify code-level risks with cloud posture, runtime context, identities, and infrastructure—unlocking the complete picture needed to prioritize and remediate risk with confidence.

Top application security testing providers include Mend, Invicti, and Black Duck, offering a range of services like Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). Some providers also provide specialized services like securing AI applications and vulnerability management.

A significantly evolved version of the Shai-Hulud malware now tracked as Sha1-Hulud has been discovered with over 800 packages affected, now featuring persistent backdoor capabilities through compromised GitHub Actions runners and enhanced multi-cloud credential harvesting.

SAST (Static Application Security Testing) tools analyze an application’s source code to identify potential security vulnerabilities without executing the code. They are crucial for finding security flaws early in the development lifecycle, helping developers address issues before they become more costly and difficult to fix. Unlike dynamic analysis techniques, SAST operates without executing the program, focusing entirely on the static codebase.

Today, we’re introducing our Risk Reduction Dashboard. This is a new way for security leaders to quantify their AppSec program’s impact, prioritize high-value fixes, and prove ROI with data-backed insights that go beyond raw vulnerability counts.