SCA stories

Sonatype flags 21,764 malicious open-source packages in Q1 2026, with npm hit hardest as attackers used trusted workflows to steal secrets.

Vulnetix expands AI coding defences as Australia's first Global CVE Numbering Authority, opening vulnerability tools to developers nationwide.

Avocado urges Australian firms to tighten repository security as the ACSC reissues a high alert on active supply chain attacks and secrets sprawl.

Open source malware advisories jumped in 2025 as Endor Labs warned that firms are under-prepared and budgets lag the threat.

AppOmni upgrades Heisenberg to help teams trace GitHub Actions and spot tainted dependencies after the LiteLLM supply chain breach.

NetRise unveils Provenance, a tool to trace open source maintainers and stop risky dependencies before they spread through software.

Fime's EMEA lab wins EMVCo nod to test fingerprint sensors for biometric cards, supporting global roll-out of trusted contactless payments.

Sonatype says smaller AI tied to live software data can outsecure larger models on dependency upgrades, slashing risk and cost.

Veracode unveils an AI-driven tool that automatically fixes open-source vulnerabilities, tackling mounting security debt in software supply chains.

Harness has launched AI Security and Secure AI Coding tools to spot and block vulnerabilities in AI-powered apps and AI-generated code.

ActiveState launches Curated Catalog, a private, pre-vetted open source repository to tighten software supply chain security for enterprises.

Manifest unveils SBOM generator for unmanaged C and C++ code, tackling critical supply chain blind spots in embedded and safety systems.

RateGain and Juspay unveil RG Pay, an embedded payments layer to boost cross-border checkout performance for global travel brands.

BioCatch launches DeviceIQ to scan mobile and web devices before login, spotting AI-driven fraud and compromised handsets in milliseconds.

ActiveState appoints seasoned open source leader Abby Kearns as Chief Executive, sharpening its focus on managed open source security.

Appdome's new Threat-Memory tool stores on-device threat histories and AI scores to counter repeat mobile fraud and account takeovers.

Endor Labs unveils AURI, a security intelligence platform embedding reachability-led checks into AI coding assistants and CI/CD pipelines.

Manifest research reveals executives overestimate AI security readiness, as AppSec teams warn of unmanaged tools, blind spots and rising risk.

Security debt hits 82% of organisations as legacy flaws linger over a year, with third-party code driving most critical vulnerabilities.

Ecommpay launches a free fraud guide for online retailers as UK payment fraud hits GBP £1.17 billion and AI-driven scams rapidly escalate.