Jellyfish Integrates with Snyk, Checkmarx & More for Enhanced Security

I’ve been interested in the idea of talking to your local CLI agents from a remote mobile interface for a while now. It’s been fascinating watching the excitement around OpenClaw, but I never fully indulged because the security risks always felt a bit too real. When OpenAI released codex-app-server, it clicked. I could build something in the same space as OpenClaw, but with my own twist and with less security overhead. So I built codex-discord-bridge. It’s a Discord bot that uses codex-app-server to let you talk to codex-cli running against your local repository, over the open internet, directly from Discord chat. https://lnkd.in/ddzXW6rE

🚨 Trivy has been attacked again🚨 This time, attackers went beyond a single bad release on the most widely used open-source vulnerability scanner. Along with a malicious v0.69.4 binary, they force-moved 75 out of 76 version tags in the aquasecurity/trivy-action GitHub Action to point at attacker-controlled commits containing an infostealer. This means any CI pipeline referencing this action by tag, even older "stable" versions, could be silently running malicious code right now. If you’re using the Trivy image from Echo’s secure registry, you’re safe. If not, we recommend checking local installs for v0.69.4, auditing GitHub Actions usage for tag-based references, and rotating secrets if compromised workflows ran. An important key takeaway? Pinning to a version tag is not the same as pinning to an immutable reference. If you have any questions, feel free to comment below – we're here to help!

Shai-Hulud 2.0 wasn’t just another supply chain incident, it was an attack path. In his latest post, JD Crandell breaks down the worm used in the attack through an Attack Path Management (APM) lens: • How a PWN request led to credential exposure • How a GitHub PAT unlocked NPM tokens • How semantic versioning amplified propagation • How 13.7k public repos became an exfiltration network JD decomposes the infection into graph edges like: • StartsInitialInfection • ContainsCredentialsFor • ShaiHuludInfectsModifiablePackages • InstalledOn He also introduces NPMHound, a tool that models NPM dependency chains in BloodHound OpenGraph without installing packages. If attackers think in graphs, defenders should too. Read the full breakdown here: https://ghst.ly/4u8rqGf

🚨 Security, transparency & trust in open source 🚀 Recently, the team behind Trivy, the widely-adopted open-source security scanner by Aqua Security, publicly disclosed a security incident where their GitHub repository was affected due to a compromised PAT used in a CI workflow. The team provided a clear timeline of the impact, the fixes deployed, and what users should expect as recovery continues. What really stood out to me was how transparently the Aqua Security maintainers communicated about the situation, detailing what happened, what was impacted, and how they are responding. This level of openness matters in security tooling, especially for projects that form the backbone of many DevSecOps pipelines. For those who don’t know, Trivy is one of the most popular open-source vulnerability scanners in the cloud-native ecosystem, trusted by teams to scan container images, IaC, code repos, and more. Its ease of use and broad integration (e.g., GitLab, Harbor, GitHub Actions) have made it a go-to tool for both DevOps and security teams. 👏 Hats off to the Aqua Security team for not only building a strong tool but also for demonstrating that transparency and accountability are pillars of good security practice. https://lnkd.in/e8yZxdcs #opensource #security #devsecops #Trivy #AquaSecurity

🔐 Lupin & Holmes - Depi announces its $5.9M Seed to secure the software supply chain through offensive security. Modern software depends on increasingly complex open-source stacks, yet most security tools remain reactive, flagging known vulnerabilities while missing how real attackers chain weaknesses together. Depi flips the model by mapping concrete attack paths across the software supply chain, helping teams uncover what is actually exploitable before attackers do. Its platform actively tests pipelines, registries, repositories, and dependencies to surface precise, actionable risks instead of overwhelming teams with noise. Already live, Depi scans millions of packages and delivers a first scan in around 2 minutes while keeping false positives extremely low. Huge applause to Roni Carta and the team for building with such strong technical depth and ambition. We’re thrilled to back you :) This round is co-led by 20VC and Seedcamp, with participation from Purple Fund and amazing angles from Wiz, Hugging Face, and GitGuardian.

Missed this month's runZero Hour? It's now on-demand! Tod Beardsley, VP of Security Research at runZero and former CISA section chief, sat down with Rob King and special guest Wade Sparks III, Senior Vulnerability Analyst at VulnCheck, for a deep dive into everything KEV. They cover what the CISA KEV catalog actually is, what it takes for a vulnerability to land on it, and why not everything on the list deserves the same level of urgency. Plus! Tod demos the KEV Collider, our free, daily-updated tool that lets you filter and sort the entire KEV catalog by the signals that matter most to your environment. 🎥 Watch here: https://lnkd.in/gtyT-KaC

Want to better understand the KEV & use it more effectively? Checkout the latest episode of the runZero Hour. #KEVCollider

Exciting news from SixHack Academy, we’ll soon be launching our new certification: Web eXploitation Expert (WXE), focused on Bug Bounty. WXE is designed for learners and security professionals who want to sharpen their web exploitation skills through a practical, hands-on approach aligned with real Bug Bounty scenarios. Stay tuned, more information coming soon. https://sixhackacademy.com

This was enlightening. Self-hosted GitHub Actions runners are super beneficial, but they can also become a hidden vulnerability if you're not careful. The Sysdig Threat Research Team dives into the Shai-Hulud campaign, illustrating how attackers can exploit these runners for ongoing access and what signs defenders need to monitor. If you're involved with self-hosted runners or CI/CD pipelines, check this out: https://okt.to/oVGPid

Excellent opportunity to improve your skills in the field of Cybersecurity! Google Cloud Security is providing an immersive experience of #SecOps environment and also a great #CTF challenge. #GoForIt #ChallengeYourself #Cybersecurity