Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

How Mend.io’s ServiceNow integration helps organizations manage application, network, and operational risks together—at scale. Managing AppSec and network risk as separate programs is no longer realistic for enterprise security teams. Today’s digital environments are interconnected, distributed, and constantly changing. A single misconfiguration, unpatched server, or vulnerable open-source component can become a point of exploitation when combined with weaknesses elsewhere in the stack.

During routine monitoring of NPM registry activity, we identified a suspicious pattern involving user sdjkals who has published 10 packages containing what appear to be WOFF2 font files. Initial analysis reveals these are not legitimate font assets. The packages are scoped under @sdjkals/* with version numbers reaching 1.0.1594 and 1.0.1912, indicating extremely rapid republishing cycles, new versions are being pushed every few minutes.

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. The flaw carries a CVSS score of 10.0, the maximum severity rating. What makes this vulnerability particularly dangerous is its simplicity: attackers only need to send a single crafted HTTP request to gain complete control over vulnerable servers. No authentication required. No complex exploit chains. Just one malicious request.

Today, we’re excited to announce the availability of Mend.io’s new integration with Wiz, delivering a powerful Code-to-Cloud security workflow for joint customers. By bringing Mend SAST’s high-accuracy code findings directly into the Wiz platform, organizations can now unify code-level risks with cloud posture, runtime context, identities, and infrastructure—unlocking the complete picture needed to prioritize and remediate risk with confidence.

Top application security testing providers include Mend, Invicti, and Black Duck, offering a range of services like Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). Some providers also provide specialized services like securing AI applications and vulnerability management.

A significantly evolved version of the Shai-Hulud malware now tracked as Sha1-Hulud has been discovered with over 800 packages affected, now featuring persistent backdoor capabilities through compromised GitHub Actions runners and enhanced multi-cloud credential harvesting.

SAST (Static Application Security Testing) tools analyze an application’s source code to identify potential security vulnerabilities without executing the code. They are crucial for finding security flaws early in the development lifecycle, helping developers address issues before they become more costly and difficult to fix. Unlike dynamic analysis techniques, SAST operates without executing the program, focusing entirely on the static codebase.