Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

AI security threats are evolving at roughly the same speed that AI itself is: extremely fast. One of the most recent—and least understood—vulnerabilities involves vector and embedding weaknesses. These issues have gained attention with their addition to the OWASP Top 10 for LLMs, and the risks are becoming more urgent as Retrieval-Augmented Generation (RAG) continues to dominate enterprise AI adoption.

As many of you may know, MITRE’s DHS contract to manage the CVE and CWE programs expired on April 16, 2025. While emergency funding has since been restored for a short time, the long-term future of these programs still remains uncertain. Understandably, this situation has raised concerns throughout the cybersecurity community about the stability and continuity of vulnerability tracking and management systems that many organizations have come to rely upon.

Security teams today face increasing pressure to quantify the effectiveness of their application security programs. Whether it’s justifying security investments to leadership or demonstrating compliance with regulations like PCI DSS, HIPAA, and GDPR, teams struggle to showcase the real impact of their security efforts. Without clear, actionable data, proving that an AppSec program is actively reducing risk becomes a challenge. That changes today.

Every hype cycle brings fresh security concerns, and AI is no exception. AI governance might sound like uncharted territory, but it’s really just another evolution of the same security principles AppSec teams have been applying for years. The fundamentals—secure coding, risk management, compliance, and policy enforcement—haven’t changed.

Lately, it seems like the only thing anyone is talking about in the technology sector is Artificial Intelligence. With good reason! AI is an incredibly powerful tool that is only going to grow in usage and scope. However, there seems to be a lot of confusion around various terms involving AI and security. The focus of this blog will be breaking down the differences between securing AI, secure AI use, AI for security, and AI safety.

Published first as a whitepaper in late 2024, the 2025 OWASP Top 10 for LLM Applications is yet another monumental effort from OWASP made possible by a large number of experts in the fields of AI, cybersecurity, cloud technology, and beyond—including Mend.io Head of AI Bar-El Tayouri. LLMs are still new to the market but beginning to mature, and the OWASP Top 10 for LLM Applications is maturing alongside it.

In a recent discovery, our research team uncovered a fake VS-code extension—truffelvscode—typosquatting the popular truffle for VS-code extension. This extension serves as a trojan horse for multi-stage malware. This blog takes a closer look at how the malicious extension operates, its obfuscation techniques, and IOCs related to this incident.

Security teams face limited resources and a growing attack surface while developers struggle with security responsibilities that feel burdensome, annoying, or seem to conflict with their first priorities. AppSec teams turn to static application security testing (SAST) tools to identify vulnerabilities in first-party code early in the software development lifecycle while developers can still fix issues before the code is old and forgotten about.

At Mend.io, we’re passionate about code security. That’s why we’re thrilled to announce a strategic partnership with JetBrains that integrates Mend.io’s robust security solutions directly into JetBrains IDEs and Qodana environments. With the help of Mend.io, JetBrains users will now have access to robust Software Composition Analysis (SCA) and malicious package detection.

If there’s one thing development and security teams can agree on, it’s that updating dependencies is a worthwhile endeavor. Keeping open-source dependencies up to date reduces bugs—both now and in the long run. And whether those bugs are security vulnerabilities or functional issues, everyone is happy to see them go.