Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Why Claude Code Security Is a Big Moment for Application Security

Anthropic’s launch of Claude Code Security is exciting. Not because it changes everything overnight — but because it confirms something important: AI-powered security inside the developer workflow is becoming the new normal. And that’s a win for the entire industry.

Best Software Composition Analysis Providers: Top 5 in 2026

Major software composition analysis (SCA) providers include Mend, Black Duck (Synopsys), and Veracode. They offer solutions to find, manage, and fix vulnerabilities and license issues in open-source components, with options ranging from developer-focused tools to enterprise-grade platforms with SBOM generation and deep compliance features.

Securing the New Control Plane: Introducing Static Scanning for AI Agent Configurations

Today, Mend.io is proud to announce the launch of AI Agent Configuration Scanning, integrated directly into the Mend AI Scanner. By treating “Agents as Code,” we are bringing security visibility and CI-friendly enforcement to AI configurations before they reach production The rapid adoption of AI agents has transformed the modern developer workflow.

You can't rely on open source for security - not even when AI is involved

Open source libraries, packages, and models power nearly every product team today. They accelerate development, democratize innovation, and let teams stand on the shoulders of giants. But there’s a dangerous assumption creeping into engineering orgs: that open source — or AI trained on open source — will keep your software safe. That assumption is wrong. Open source gives you speed and community, not guaranteed security.

Introducing Mend.io's AI Security Maturity Survey + Compliance Checklist available today

Today, we’re excited to launch two practical tools to help teams quickly understand their AI maturity, quantify AI risk, and gather the evidence executives will ask for in 2026: an interactive AI Security Maturity Survey (with a personalized score and mapped recommendations) and a companion AI Security Compliance Checklist. Both are aligned to industry standards and built to be immediately useful in discovery, audits, and planning.

LLM Red Teaming: Threats, Testing Process & Best Practices

LLM red teaming is a proactive security practice that involves systematically testing large language models (LLMs) with adversarial inputs to find vulnerabilities before deployment. By using manual or automated methods to probe for weaknesses, red teamers can identify issues like harmful content generation, bias, or security exploits, which are then addressed through a continuous “break-fix” loop to improve the model’s safety and reliability.

Automated Red Teaming: Capabilities, Pros/Cons, and Latest Trends

Automated red teaming uses software to simulate cyberattacks and test security defenses, helping organizations find and fix vulnerabilities more efficiently. It automates tasks like credential harvesting, system enumeration, and privilege escalation to test security posture in a continuous, scalable manner. Beyond traditional systems, automated red teaming can also be used for AI systems, where it tests for risks like data poisoning or prompt injection in generative models.

Why AppSec and Network Risk Management Must Be Unified in the Modern Enterprise

How Mend.io’s ServiceNow integration helps organizations manage application, network, and operational risks together—at scale. Managing AppSec and network risk as separate programs is no longer realistic for enterprise security teams. Today’s digital environments are interconnected, distributed, and constantly changing. A single misconfiguration, unpatched server, or vulnerable open-source component can become a point of exploitation when combined with weaknesses elsewhere in the stack.

NPM User Flooding Registry with Fake Font Packages

During routine monitoring of NPM registry activity, we identified a suspicious pattern involving user sdjkals who has published 10 packages containing what appear to be WOFF2 font files. Initial analysis reveals these are not legitimate font assets. The packages are scoped under @sdjkals/* with version numbers reaching 1.0.1594 and 1.0.1912, indicating extremely rapid republishing cycles, new versions are being pushed every few minutes.

From Zero to RCE: How a Single HTTP Request Compromises React and Next.js Applications

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. The flaw carries a CVSS score of 10.0, the maximum severity rating. What makes this vulnerability particularly dangerous is its simplicity: attackers only need to send a single crafted HTTP request to gain complete control over vulnerable servers. No authentication required. No complex exploit chains. Just one malicious request.