Discovered Vulnerabilities
The Second Coming of Shai-Hulud: npm Targeted Yet Again
TL;DR This is the second time a malicious campaign - codenamed Shai‑Hulud - has been detected targeting the npm ecosystem....
Research
Research
OWASP Top 10 2025: Key Changes and What They Mean for Application Security
The OWASP Top 10 2025 release candidate is here, marking an important milestone in the evolution of application security best...
Research
Part 2: Attackers Love Your GitHub Actions Too
In Part 1 of this blog series, we learned about GitHub Actions and their risks—now comes the fun part. It’s...
Research
Part 1: Attackers Love Your GitHub Actions Too
Why do attackers love GitHub Actions, and why should you care? The answer lies in a dangerous combination of widespread...
Discovered Vulnerabilities
New runC Vulnerabilities Expose Docker and Kubernetes to Container Escape Attacks
This week, three new high-severity vulnerabilities were revealed in runC, the fundamental runtime technology used by most container platforms. This...
Discovered Vulnerabilities
CVE-2025-59287 Explained: Critical WSUS RCE Vulnerability Actively Exploited
On October 23rd, Microsoft released an unusual out-of-band security patch for CVE-2025-59287, a remote code execution vulnerability in WSUS (Windows...
Thought Leadership
Supply Chain Attacks: What Are They and Why Should You Care?
Few threats capture the complexity of today’s digital ecosystem quite like supply chain attacks. These incidents don’t just exploit technical...
Discovered Vulnerabilities
pull_request_nightmare Part 2: Exploiting GitHub Actions for RCE and Supply Chain
Executive summary We have managed to successfully compromise repositories owned by Microsoft, Google, Nvidia and many more using a single...
Discovered Vulnerabilities
pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Executive Summary: The Orca Research Pod has uncovered critical security risks across several high-profile open source repositories that relied on...