When your security scanner gets infected
Last week, two simultaneous supply chain attacks hit the npm and PyPI ecosystems — UNC1069 (a North Korea-linked group) backdoored axios versions 1.14.1 and 0.30.4, while TeamPCP compromised LiteLLM, Telnyx, and critically, Trivy, a popular security scanner used to detect exactly these kinds of attacks. The Trivy compromise highlights the core weakness of scanner-based security: if your security tool lives in the same ecosystem it's protecting, it's just another attack surface.
Read articleSecuring your Software Dependencies with Rego's Policy as Code
In our previous post Intro to Open Policy Agent for Policy as Code with Regohttps://hextrap.com/blog/introtoopenpolicyagentforpolicyascodewithrego/ we introduce the very basic fundamentals of Open
Read articleIntro to Open Policy Agent for Policy As Code with Rego
Open Policy Agenthttps://www.openpolicyagent.org/ OPA is a cloudnative policy engine used for enforcing policyascode in major open source projects like Kuberneteshttps://kubernetes.io/,
Read articleBakin' some bun into Hextrap
Earlier this year we added support for bun to our list of supported package management tools for Javascript. bun is much more than a package manager for Javascript go
Read articleWhy we added MCP support
Since their inception, Hextrap's firewalls were designed to be used by developers locally and in their CI/CD processes. Now that LLMs have taken over, a new threat has emerged in
Read articleThe Case for Soak Time: Why Waiting 72 Hours Could Save Your Company
Analyzing malicious package detection timelines reveals a simple but effective defense most organizations overlook.
Read articleInside a Typosquatting Campaign: 200 Malicious Packages in 48 Hours
Forensic analysis of a coordinated attack on PyPI that exploited human error at scale.
Read articleThe Anatomy of a Software Supply Chain Attack
How attackers exploit trust relationships in package ecosystems to compromise thousands of organizations in a single stroke.
Read articleDependency Confusion: Why Your Private Packages Aren't Private
A deep dive into the attack vector that allowed researchers to breach Apple, Microsoft, and PayPal using nothing but a package.json file.
Read articleWhat the xz Backdoor Taught Us About Long-Term Compromise
The near-miss catastrophe that almost gave attackers root access to most Linux systems, and what it reveals about open source trust.
Read article