The UK Public Sector is Facing a Big Cyber Issue in 2026

viviandufour, , , Leave a comment



The United Kingdom’s public sector is under increasing cyber pressure.

Government departments, healthcare systems, local councils, and public institutions now rely heavily on interconnected digital infrastructure. Much of that infrastructure was built years ago and still depends on ageing systems that are difficult to update, monitor, or secure properly.

At the same time, public sector software increasingly relies on open-source components. These dependencies help teams develop systems faster and reduce costs, but they also introduce software supply chain risk when vulnerabilities are not tracked or patched consistently.

Together, legacy infrastructure and unmanaged open-source dependencies are creating a difficult security environment. Attacks are becoming more disruptive, more expensive, and harder to contain.

Legacy Systems Remain Widespread Across the Public Sector

Legacy technology remains one of the biggest cyber security weaknesses inside UK public infrastructure.

The National Audit Office warned in 2025 that many government systems remain “high risk” due to age, unsupported software, and outdated architecture. 

Infographic about UK public sector legacy IT systems, highlighting 228 identified systems, 28% rated red due to high risk, and 53% lacking fully funded remediation plans.

The UK government’s own Cyber Action Plan similarly acknowledged that some legacy systems cannot be defended effectively using modern security controls.

Many of these systems:

  • Were built decades ago
  • Cannot be patched easily
  • Depend on outdated software stacks
  • Lack compatibility with modern security tooling
  • Require specialist maintenance knowledge

Replacing these systems is difficult. Large public sector upgrades are expensive, operationally risky, and often slowed by procurement complexity.

As a result, vulnerable systems frequently remain active long after safer alternatives are available.

Why Legacy Systems Increase Cyber Risk

Older systems are easier targets for attackers because they often lack basic modern protections.

Many do not support strong identity controls, modern encryption standards, or real-time threat monitoring. Some are no longer supported by vendors, meaning newly discovered vulnerabilities may never receive official patches.

Legacy systems also create wider operational risk because they are rarely isolated. Most are connected to newer applications, databases, cloud environments, or third-party services.

That means a vulnerability in one outdated system can become an entry point into a much larger network.

The National Audit Office has warned that ageing systems increase the likelihood of successful attacks and make incident recovery more difficult once breaches occur.

Download Meterian’s 2026 Predictions EBook. Master the New Rules of Software Sovereignty to understand why traditional AppSec models are breaking down and how leadership teams can prepare. 

Open-Source Software Adds Another Layer of Risk

Open-source software now powers most modern applications.

Public sector organisations use open-source frameworks, libraries, and packages across internal systems, citizen services, cloud applications, and third-party platforms.

The challenge is visibility.

Modern applications often contain hundreds or thousands of software dependencies, including transitive dependencies that developers may not even realise are present.

If organisations do not know which components exist inside their software, they cannot know which vulnerabilities affect them.

Research consistently shows that the majority of modern software contains open-source code. Many applications also contain known vulnerabilities that remain unresolved long after patches become available.

This is becoming a major concern for governments worldwide because vulnerable open-source components can spread risk across multiple systems at scale.

Want to see how vulnerable open-source dependencies can be identified earlier in development? Try HEIDI by Meterian, a free IDE plugin built to help developers find vulnerable packages and move to safer versions while they code.

The Log4j Problem Showed How Fast Risk Can Spread

The Log4j vulnerability remains one of the clearest examples of software supply chain risk.

Even years after the Log4Shell vulnerability was disclosed and patched, vulnerable versions continued appearing inside production systems worldwide.

Reports in 2025 showed that a significant percentage of Log4j downloads still contained vulnerable versions despite years of public awareness.

Infographic titled 'Log4j: A Warning About Software Supply Chain Risk' showing that 13% of global Log4j downloads in 2025 were still vulnerable, with UK rate at 14%. Approximately 300 million Log4j downloads in 2025, 40 million still unsafe. Notes that vulnerable code can remain in production even with existing patches.

The issue was never simply the existence of the vulnerability itself. The larger problem was that many organisations did not know where Log4j existed inside their software stack.

This is the core software supply chain challenge facing public sector organisations today.

A single vulnerable dependency can quietly exist across government systems, suppliers, applications, and service providers without clear visibility.

Cyber Attacks Against Public Services Are Increasing

The cyber threat facing the UK public sector continues to intensify.

The National Cyber Security Centre reported a growing number of nationally significant cyber incidents in its latest annual review. State-backed threat actors, ransomware groups, and financially motivated attackers continue targeting public infrastructure because disruption creates immediate pressure.

Several recent incidents have shown how severe the consequences can become.

Healthcare Systems

The NHS has experienced repeated cyber incidents linked to outdated infrastructure and unpatched vulnerabilities.

These attacks disrupted services, delayed operations, and exposed sensitive patient information. Healthcare systems remain particularly vulnerable because they depend on large interconnected environments that are difficult to modernise quickly.

The British Library Attack

The cyber attack against the British Library became one of the UK’s clearest examples of how legacy technology can worsen the impact of a breach.

The incident caused major operational disruption and lengthy recovery efforts. Later analysis linked the severity of the attack partly to historic underinvestment in cyber resilience and ageing infrastructure.

Local Government Disruption

Local councils across the UK have also faced growing cyber pressure.

Attacks have disrupted housing systems, benefits administration, and citizen services. In some cases, organisations were forced to revert to manual processes while systems recovered.

For public services, cyber incidents quickly become operational problems rather than isolated IT failures.

Why This Is Becoming a National Resilience Issue

The combined effect of legacy systems and open-source vulnerabilities creates broader national risk.

These issues are interconnected.

A vulnerable open-source component inside a legacy environment can affect multiple public services simultaneously. Once attackers gain access, interconnected systems make lateral movement easier and containment harder.

The consequences can include:

  • Service disruption
  • Data breaches
  • High remediation costs
  • Operational downtime
  • Delayed digital transformation
  • Increased exposure to state-sponsored attacks

Public infrastructure now depends heavily on software resilience. When software supply chains become difficult to monitor, national resilience becomes harder to maintain.

What Needs to Change

The UK public sector does not need to stop using open-source software. That would be unrealistic and counterproductive.

The priority is visibility.

Public sector teams need to know which open-source components are inside their software, where vulnerable versions are being used, and which fixes are available. This needs to happen continuously, because new vulnerabilities emerge every day.

Security also needs to move closer to development. If vulnerable dependencies are only discovered late in CI/CD, or after deployment, remediation becomes slower and more expensive.

The strongest approach is to make dependency security part of the normal development workflow. Developers should be able to see vulnerable packages, understand the risk, and move to safer versions before code reaches production.

Conclusion

The UK public sector faces a layered cyber security problem.

Legacy systems create weak points. Unmanaged open-source dependencies add software supply chain risk. Together, they make public services more exposed to attacks that can disrupt operations, expose data, and damage national resilience.

Modernising public infrastructure will take time. But visibility over open-source risk can improve now.

Knowing what is inside public sector software is the first step toward protecting the services people rely on every day.

The UK Public Sector is Facing a Big Cyber Issue in 2026

Meterian Launches Free IDE Plugin to Automatically Find and Fix Vulnerabilities while Coding

viviandufourLeave a comment

London, April 30, 2026 – Meterian, the UK-based open-source security company, today announced the launch of HEIDI, a free security plugin for Integrated Development Environments (IDEs). 

Available on Visual Studio Code and the JetBrains IDEs, HEIDI enables developers to detect and fix open-source vulnerabilities directly inside their coding environment, making security part of everyday development rather than an afterthought. 

Within a month of deploying on Visual Studio Marketplace, the free plugin has seen nearly 5,000 installs from developers. This level of pre-launch engagement reflects the critical demand for such a project. 

With software supply chain attacks on the rise and open-source dependencies powering 80–90% of modern applications, the risks of leaving vulnerabilities unchecked are increasing. Yet most security scanning still happens late in the process, inside CI/CD pipelines or after release. 

Open-source software developer Roberto Franchini of ArcadeDB said, “It is the reality of using AI for development that LLMs do not know about vulnerabilities exposed today. HEIDI serves as an important live security layer by comparing AI proposals with current threat intelligence information. This means that we can take advantage of AI without incurring the security debt from old data sets.”  By shifting security into the IDE, HEIDI allows developers to identify and fix issues before code ever leaves their machine.

“Developers spend most of their time coding inside IDEs. HEIDI meets them where they work, ensuring security isn’t an extra step but part of the process itself,” said Bruno Bossola, CTO and co-founder of Meterian. “This is how we reduce security debt, cut patching costs, and prevent vulnerable code from reaching production.”

HEIDI also extends its capabilities through a built-in Model Context Protocol (MCP) server that connects directly with AI coding assistants. Unlike most AI tools, which depend on static pre-trained knowledge, HEIDI brings real-time vulnerability intelligence into the developer’s AI workflow, including tools such as Codex, Claude, GitHub Copilot, Cursor, Windsurf, and other MCP-compatible assistants.

Key Features of HEIDI

  • Automatic vulnerability scanning of direct and transitive dependencies.
  • One-click fixes that let developers apply remediation instantly.
  • Lightweight reporting with actionable insights inside the IDE.
  • No source code transferred — only manifest files are scanned, protecting IP.
  • Language support: Java, .NET, NodeJS, Python, PHP, Ruby, Rust, Go.
  • AI assistant integration via built-in MCP server with real-time vulnerability intelligence.

The urgency is clear from recent concerns around Anthropic’s Claude Mythos. Anthropic said Mythos Preview could identify and exploit zero-day vulnerabilities in major operating systems and browsers.

HEIDI is built for the defensive side of that shift, giving AI coding assistants current, project-specific dependency risk context so developers can spot vulnerable packages, understand the risk, and apply safer upgrade paths before code ships. 

A Seamless Path to Enterprise Security

The free HEIDI plugin delivers immediate value to developers, while offering a natural pathway to Meterian’s enterprise Software Composition Analysis (SCA) suite, which provides advanced CI/CD integrations, SBOM management, custom security policies, and comprehensive reporting.

Meterian is engaging open-source communities, OWASP chapters, and developer forums to build grassroots traction.

Why It Matters

According to IBM’s 2025 Data Breach Report, the average breach costs $4.4 million — but vulnerabilities discovered late in the development cycle are far more expensive to fix. By embedding checks early in the software development lifecycle, HEIDI empowers developers to find, fix, and ship securely.

HEIDI is now available for free download on the Visual Studio Code Marketplace, the JetBrains marketplace,  and the OpenVSX registry. All information about HEIDI, including documentation and tutorials, can be found by visiting https://www.meterian.io/product/heidi/.

About Meterian

Meterian is a cybersecurity company specialising in open-source vulnerability detection and automated remediation. Its AI-powered platform helps organisations protect their software supply chains, reduce security debt, and ensure compliance with international standards. Headquartered in London, Meterian serves global clients across critical industries.

Logo design for Meterian featuring the word 'HEIDI' in bold blue letters with the tagline 'Security where you code' below.
Meterian Launches Free IDE Plugin to Automatically Find and Fix Vulnerabilities while Coding

UK Manufacturing Cyber Security: Why Ransomware and DDoS Attacks Are Now Operational Risks

viviandufour, , Leave a comment
An industrial automation scene showcasing robotic arms in a factory setting. The image highlights cyber risk with visual indicators for system status, threat activity, and network traffic. Text overlay reads 'Cyber Risk, Real Downtime' emphasizing the impact of software risk on operations.

UK manufacturing is becoming more exposed to cyber disruption as factories rely on connected systems, industrial software, cloud platforms, and third-party suppliers.

Ransomware and denial-of-service attacks are among the most damaging threats. They can stop production, delay shipments, disrupt supply chains, and create direct financial losses.

For manufacturers, cyber risk now reaches far beyond IT systems. It affects uptime, safety, fulfilment, customer commitments, and business continuity.

UK Manufacturers Are Facing a Higher Level of Cyber Disruption

A 2026 ESET survey found that 78% of UK manufacturers experienced a cyber incident in the past year. 

Among affected firms, 95% reported direct business impact, 53% suffered financial loss, 44% faced supply chain disruption, and 39% missed customer or supplier commitments. Some incidents caused losses above £250,000.

Infographic detailing UK manufacturing cyber risk statistics, highlighting that 78% of UK manufacturers experienced a cyber incident in the past year. Additional statistics include 95% reported direct business impact, 53% suffered financial loss, 44% faced supply chain disruption, and some incidents caused losses above £250k. It also notes that 43% of businesses in the wider UK reported a breach or attack.

The wider UK picture is also concerning. The UK government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber breach or attack in the previous 12 months. The figure rose to 67% for medium businesses and 74% for large businesses.

Manufacturing is especially exposed because downtime has an immediate cost. A locked system or unavailable application can quickly become a halted line, a missed order, or a broken supplier commitment.

Ransomware Remains the Primary Cyber Threat

Ransomware remains one of the most serious threats to UK organisations. The National Crime Agency describes ransomware deployment as the UK’s greatest cyber serious and organised crime threat, with risks to Critical National Infrastructure and national security.

A ransomware attack usually blocks access to systems or data until a payment is demanded. Modern ransomware campaigns often go further. Attackers may steal data, threaten to publish intellectual property, pressure suppliers, and use public disruption to force negotiations.

This is dangerous for manufacturers because production depends on availability. If planning systems, engineering files, logistics platforms, or connected production environments become unavailable, the impact can move quickly from digital systems into physical operations.

The Jaguar Land Rover cyber incident showed how severe that impact can become. 

Infographic detailing the Jaguar Land Rover cyberattack, highlighting an estimated £1.9 billion financial impact on the UK, affecting over 5,000 organizations, halting production lines for several weeks, and resulting in canceled or delayed supplier orders.

The Cyber Monitoring Centre categorised the 2025 JLR incident as a Category 3 systemic event, estimating a £1.9 billion UK financial impact and effects across more than 5,000 UK organisations. 

Production lines were halted for several weeks, and suppliers faced cancelled or delayed orders. That case underlines the central point: a major cyber incident in manufacturing can become a supply chain event.

DDoS Attacks Can Stop Access to Critical Services

Denial-of-service attacks create disruption by overwhelming websites, applications, or networks. The Information Commissioner’s Office describes a DoS attack as an attempt to stop normal system function by overloading it and creating a virtual “traffic jam.” 

In a distributed denial-of-service attack, the attacker uses many connected devices to flood the target from multiple points.

For manufacturers, DDoS risk is not limited to public websites. It can affect customer portals, supplier platforms, remote access systems, cloud dashboards, and connected industrial services.

UK government data shows denial-of-service attacks affected 15% of large businesses that experienced a cyber breach or attack, compared with 5% of businesses overall.

The practical impact is simple. If key systems are unavailable, production planning slows down, orders cannot be processed, suppliers lose visibility, and internal teams are forced into manual workarounds.

Why Manufacturing Is Especially Vulnerable

Manufacturing has a different risk profile from many office-based sectors.

Many firms still run legacy operational technology alongside newer digital systems. Older systems are often difficult to patch, hard to monitor, and expensive to replace. As IT and OT environments become more connected, weaknesses in one area can create exposure in another.

Manufacturers also depend on complex supplier networks. A vulnerability in a third-party system, open-source component, software update, or connected service can create risk across several organisations.

This makes software supply chain security critical. Modern manufacturing companies often use internal applications, vendor platforms, cloud services, containerised workloads, and open-source libraries. 

Open source software makes up an estimated 80–90% of software application code, which means dependency risk is now part of operational resilience.

Infographic illustrating that 80-90% of application code is open source, highlighting open source dependencies, associated risks including security, availability, and performance risks, as well as the concept of weak dependency and its impact on operational resilience.

Attackers understand this. They do not always need to attack the factory floor directly. They can exploit exposed software, vulnerable dependencies, weak supplier access, or outdated components that sit inside the wider digital environment.

The Preparedness Gap

Many organisations still lack the right level of preparation.

The UK government’s Cyber Security Breaches Survey 2025 found that only 32% of businesses had a business continuity plan covering cyber security. For micro businesses, the figure was 27%.

That gap matters because prevention alone is not enough. Manufacturers need to know what software they use, which components are vulnerable, which systems are exposed, and how quickly they can recover when something goes wrong.

A strong cyber resilience plan should include:

  • Tested backup and recovery processes
  • Network segmentation between IT and OT systems
  • Regular vulnerability assessment
  • Software Bill of Materials visibility
  • Continuous monitoring of open-source components
  • Incident response planning
  • Clear supplier security expectations
  • Developer workflows that catch risks before release

Cyber Essentials, penetration testing, and annual reviews all have value. However, they cannot replace continuous visibility. New vulnerabilities are disclosed every day. A system that was safe last month may be exposed today.

Where Meterian and Cybersecurity Services Fit

Meterian helps organisations reduce software supply chain risk by giving security and engineering teams clearer visibility into open-source dependencies, vulnerable components, and remediation priorities.

Meterian-X provides continuous review of open-source libraries, risk prioritisation, actionable reporting, policy controls, and alerts that help teams fix issues earlier in the software development lifecycle.

For manufacturing businesses, this matters because software now supports production planning, supplier coordination, logistics, customer delivery, connected devices, and internal operations.

Meterian can help teams:

  • Identify vulnerable open-source components
  • Monitor dependencies continuously
  • Prioritise the most urgent risks
  • Generate clear reports for developers and security teams
  • Support governance and compliance workflows
  • Integrate security checks into DevSecOps pipelines
  • Scan application codebases and container images

Meterian’s HEIDI plugin also brings open-source vulnerability detection directly into the IDE. It helps developers catch and resolve vulnerable dependencies during the coding phase, before issues reach production systems.

That early visibility matters. The later a vulnerability is found, the more expensive and disruptive it becomes to fix.

Want to understand where open-source vulnerabilities may be hiding in your software supply chain? Use Meterian to scan your codebase, monitor dependencies continuously, and give your teams clear remediation paths before risk reaches production.

Building Cyber Resilience in UK Manufacturing

UK manufacturers cannot remove every cyber risk. They can reduce exposure, improve visibility, and make disruption less damaging.

That starts with treating software supply chain security as part of operational resilience. Manufacturers need to know which components they rely on, where vulnerabilities exist, and which fixes should come first.

The most resilient organisations will be those that connect security with engineering, operations, procurement, and risk management. Continuous scanning, dependency visibility, and fast remediation should become standard controls for any software-driven manufacturing environment.

Conclusion

Ransomware and DDoS attacks are now serious operational risks for UK manufacturing.

The sector depends on connected software, complex suppliers, and production systems that cannot afford prolonged downtime. Recent incidents show that a cyberattack can stop production, delay orders, expose sensitive data, and affect thousands of connected organisations.

Manufacturers need more than periodic testing and basic compliance. They need continuous visibility across the software systems that support their operations.

Meterian helps manufacturers strengthen that visibility by scanning codebases, monitoring open-source dependencies, prioritising vulnerabilities, and supporting DevSecOps workflows.

UK Manufacturing Cyber Security: Why Ransomware and DDoS Attacks Are Now Operational Risks

Cybersecurity Reflection: 2025 Showed the Cost of Ignoring Open Source Vulnerabilities

viviandufourLeave a comment
3–4 minutes
Illustration depicting the concept of the 'Cost of Ignoring Open Source,' featuring industrial structures above ground and a network of roots or circuits below the surface.

We’re already into the second half of 2026, and it’s worth pausing for a second. Not to recap headlines, but to understand what actually changed in terms of security. 

Spoiler alert…. A lot. 

Because 2025 wasn’t just another year of breaches. The scale was larger, and the impact was more visible. 

The attack on Jaguar Land Rover brought that into focus. Production stopped for months. The losses were estimated at £1.9 billion. The disruption moved straight into operations and revenue.

In the education sector, Kido International faced a ransomware incident that exposed personal data linked to thousands of children and staff. The impact here sat around safeguarding and trust.

Retail saw a similar strain. The ShinyHunters group claimed breaches across multiple brands, including Marks & Spencer. Some platforms lost the ability to trade online during the disruption.

Alongside these cases, a large pool of over 16 billion credentials circulated across criminal forums. Those datasets fed ongoing account takeover attempts throughout the year.

None of this felt isolated. The same weaknesses appeared again and again.

Constant Pressure on Infrastructure

Attacks moved closer to systems that support daily life.

The incident in Poland’s energy sector showed how attackers can move across IT and operational environments. That overlap creates a different kind of exposure.

In the UK, water utilities faced continued pressure from ransomware incidents. These systems often rely on older industrial controls with limited visibility.

At the consumer level, compromised IoT devices formed large botnets. Devices that sit in homes became part of wider attack infrastructure without the user being aware.

The surface area kept expanding.

The Supply Chain Problem is Getting Bigger

Across these incidents, the supply chain kept appearing in the background.

Attackers focused on software providers, cloud platforms, and third-party tools. Access at that level opens the door to many organisations at once.

This approach scales efficiently. One weakness can affect a large number of systems downstream.

For most organisations, this sits outside direct control. That makes it harder to track and harder to manage.

What’s Changing in 2026? A lot

The direction for the coming year is already visible.

Attack workflows are becoming faster. Automation plays a larger role. AI is being used to scan systems, prepare phishing content, and identify weak points.

The targets remain consistent. Local government systems, supply chains, and infrastructure continue to attract attention.

These environments often operate with limited resources and older technology. That combination creates exposure that is difficult to close quickly.

The Open Source Reality

Most systems depend on open source components.

That dependency runs deep. Many components sit several layers down, out of sight during routine checks.

Over time, vulnerabilities build up in those layers. Without active monitoring, they remain unnoticed.

Periodic reviews miss changes that happen between audits. New vulnerabilities appear regularly, and attackers move quickly once they are public.

Continuous monitoring becomes part of day-to-day security, rather than an occasional task.

Read our full list of open source security predictions for 2026 – Is your security team considering all of these threats?

What Needs to Change

The events of 2025 point to a clear shift in approach.

Security needs to keep pace with how quickly vulnerabilities appear and spread. That requires visibility into dependencies and a way to respond without delay.

The focus moves toward shorter response times and better awareness of what sits inside each system.

Small gaps tend to expand quickly when left unattended.

Closing Thought

The past year showed how cyber incidents now reach into operations, services, and public systems.

The same patterns are already carrying into 2026.

The difference will come from how quickly organisations detect and respond to what is already present in their environment.

What can you do? Start with visibility. Continuous monitoring of your open source components is non-negotiable.

Cybersecurity Reflection: 2025 Showed the Cost of Ignoring Open Source Vulnerabilities

Open Source Security in 2026: From Vulnerabilities to Trust

viviandufour1 Comment
A digital illustration of a red shield with a lock symbol, representing cybersecurity and data protection, surrounded by circuit patterns and binary code.

Open-source software remains the backbone of modern digital infrastructure. In 2025, it also became one of the most consistently exploited attack surfaces. The reason was not a sudden spike in zero-days or developer negligence. It was a shift in how attackers operate.

The most consequential incidents of the past year exploited trust, not flaws.

Supply-chain attacks targeting open-source ecosystems demonstrated how compromised maintainer accounts, long-lived credentials, and automated build pipelines could be abused to harvest access at scale. 

Visual representation showing a digital padlock with a chain, overlaid with statistics about open-source code vulnerabilities in applications: 97% contain open-source code, 86% have known vulnerabilities, and 80% include high or critical-risk issues.

These campaigns often caused little immediate disruption, but enabled attackers to map environments, collect secrets, and return later with legitimate access.

By the end of 2025, one thing was clear: traditional application security models no longer scale.

What Changed in 2025

Several structural shifts defined the open-source security landscape:

  • Vulnerability disclosures reached record levels, while exploit timelines shrank to days or hours
  • Many high-impact incidents exploited known issues, stolen credentials, or trusted update paths, not novel vulnerabilities
  • npm and other ecosystems became focal points for malicious package activity and maintainer compromise
  • Public sector disruptions highlighted how shared platforms and third-party dependencies amplify blast radius

The lesson was not that visibility failed. It was that visibility without execution failed.

The Shift Heading Into 2026

As organisations move into 2026, open-source security is undergoing a fundamental reset.

Security will no longer be measured by how many vulnerabilities are detected. It will be measured by how effectively organisations can preserve trust, limit blast radius, and prove control in real time.

Several trends are already taking shape.

1. AppSec Becomes Software Supply Chain Security

Point solutions focused on scanning are being replaced by end-to-end approaches that span dependencies, containers, infrastructure-as-code, CI/CD pipelines, and build credentials. 

This convergence reflects how modern attacks unfold across the full delivery lifecycle, not within a single layer.

Diagram explaining failures of traditional AppSec models with four key points: periodic scans not reflecting real-time exposure, severity-based prioritization ignoring exploitability and usage, compliance evidence lagging operational reality, and manual remediation failing to keep pace with dependency churn.

2. Automated Fixing Moves to the Center

Manual remediation cannot keep pace with automated attacks. In 2026, fix-first security models and automated remediation are becoming the default, operating as an invisible layer that reduces risk without slowing development.

3. Regulation Drives Security Decisions

Regulatory frameworks such as the EU Cyber Resilience Act and NIS2 are shifting security investment from discretionary to mandatory. Organisations are increasingly expected to demonstrate timely remediation, secure-by-design practices, and auditable evidence of control.

“Security platforms that cannot produce machine-verifiable compliance evidence will increasingly fail procurement and audit requirements. Best-effort security will not satisfy fixed remediation deadlines. Automation becomes mandatory,” – Vivian Dufour, CEO at Meterian

4. SBOMs Are Necessary, But Not Sufficient

SBOM adoption continues to grow, but inventories alone do not prevent compromise. What matters is whether SBOM data is connected to enforcement, provenance verification, and remediation workflows.

5. Developer Experience Becomes a Security Control

Security tools that disrupt developers are bypassed. Tools that integrate quietly into existing workflows are adopted. In 2026, developer experience is no longer a usability concern — it is a security requirement.

6. Trust, Provenance, and Data Governance Take Priority

Recent supply-chain campaigns showed that attackers often harvest credentials and intelligence first, then exploit trust later. This elevates provenance, integrity, and governance of security data to board-level concerns.

The Question Leaders Must Answer

The defining question for 2026 is no longer whether another supply-chain incident will occur.

It is whether an organisation can respond faster than the attacker when trust breaks.

That response depends on automation, governance, and the ability to prove resilience continuously — not once a year, not after an incident.

Read the Full Predictions Report

This article captures only a portion of the findings from Meterian’s Open Source Security Predictions for 2026, which draws on 2025 attack data, public-sector incidents, and direct insights from Meterian’s CEO and CTO.

The full report explores:

  • Why supply-chain attacks are shifting toward reconnaissance and delayed exploitation
  • How regulation is reshaping open-source security strategy
  • What leaders must do in the next 90 days to reduce systemic risk

👉 Download the full Open Source Security Predictions for 2026 report to understand what’s changing — and how to prepare.

Open Source Security in 2026: From Vulnerabilities to Trust

PRESS RELEASE Meterian Issues Public Warning to UK Public Sector Following Recent Cyber Attacks on London Councils

viviandufourLeave a comment

London, UK — Dec 4, 2025


Meterian, a UK-based application security leader, today acknowledges the series of cyber attacks that have recently impacted several London councils, causing significant disruption to public services and exposing ongoing vulnerabilities within local government systems.

These attacks follow a prediction made earlier this year by Bruno Bossola, Meterian’s Chief Technology Officer, who accurately forecast the emergence of the supply-chain-based cyber threat that went on to disrupt organisations across multiple sectors. His analysis has now identified indicators of a new, more severe wave of attacks on the horizon, with public sector organisations likely to be primary targets due to their critical role and often complex digital estates.

“Public services are under unprecedented pressure,” said Bruno Bossola. “Our threat intelligence suggests that the recent breaches are only the beginning. A second, more sophisticated attack vector is emerging, and public sector organisations along with the Supply Chain must act now to strengthen their application security and supply chain defences.”

In response to the escalating threat environment, Meterian is extending support to all UK public sector organisations by offering complimentary trial access to its automated risk-scanning tool. This initiative aims to help councils, NHS Trusts, government departments, and other public bodies quickly identify vulnerabilities within their software supply chains and critical applications before attackers exploit them.

Through proactive, automated detection, repair, and continuous monitoring, Meterian provides organisations with an early-warning capability, something traditional penetration testing or annual audits cannot offer.

“Our mission is to help safeguard the UK’s critical infrastructure,” said the Meterian leadership team. “We recognise the pressure that councils and public bodies are facing. By making our scanning tool accessible, we aim to give the public sector the visibility and resilience needed to prevent the next attack rather than simply respond to it.”Public sector organisations interested in assessing their current risk exposure can register for a free 30-minute discovery call, during which Meterian’s specialists will guide them through the threat landscape and provide access to the scanning platform.

About Meterian
Meterian is a leading application security provider specialising in automated detection, remediation, and continuous monitoring of vulnerabilities within software supply chains. Trusted by organisations across finance, technology, and critical infrastructure sectors, Meterian delivers real-time insight and protection to help businesses stay ahead of emerging threats.

PRESS RELEASE Meterian Issues Public Warning to UK Public Sector Following Recent Cyber Attacks on London Councils

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

bbossola, , Leave a comment
6–9 minutes
Shai-Hulud 2.0: What executives need to know about the new npm supply-chain worm (Nov 24, 2025)

On November 24, 2025, a second wave of the “Shai-Hulud” npm supply-chain attack began spreading through the JavaScript ecosystem. Attackers compromised maintainer accounts, published trojanized versions of legitimate packages, and used them as a worm to steal credentials and propagate into more projects and organizations.

What happened (in plain terms)

  • Trusted packages were silently replaced with malicious updates. When developers or CI systems installed these versions, the malware ran automatically during install.
  • The malware steals secrets at scale. The payload hunts for npm/GitHub tokens and cloud credentials, then exfiltrates them to attacker-controlled repos.
  • This wave is more capable than September’s. Researchers observed improved execution (including the Bun runtime) and broader credential targeting, making infection faster and harder to spot.
  • High-profile vendors were hit. Packages tied to Zapier, ENS Domains, Postman, PostHog, AsyncAPI and others were compromised, showing the attackers can reach well-run projects—not just obscure libs.

Why this matters to your business

This is not a “developer problem.” It is a direct enterprise risk:

  1. Credential theft = account takeover. If a compromised package was installed in your environment, assume tokens and keys on that machine (or CI runner) may be stolen. That can lead to cloud breaches, source-code theft, or ransomware-style follow-on attacks.
  2. Supply chain blast radius is huge. npm packages are deeply nested in modern apps. One infected dependency can taint many internal services before anyone notices. The campaign has already spread into tens of thousands of GitHub repos.
  3. Regulatory and reputational exposure. If attacker access leads to customer data loss or service disruption, you face incident-response costs, disclosure obligations, and trust damage.

Immediate actions (next 24–72 hours) for your engineering team

If your engineering team uses Node.js / npm anywhere:

  1. Identify exposure.
    • Compare your dependency lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to the known malicious package/version list from current advisories
    • Search CI logs and build images for installs of those versions around Nov 24, 2025 onward.
    • If you are using Meterian, your teams will be notified tomorrow of any outstanding issue in your projects, while you can also manually trigger a rescan
  2. Treat potentially affected environments as compromised.
    • Rotate all secrets that could have been accessible to developer machines or CI runners: npm tokens, GitHub tokens, cloud keys, DB creds, SaaS API keys.
    • Re-issue creds from a clean machine.
  3. Hunt for persistence.
    • Check for unexpected GitHub Actions / CI workflows, new secrets, or unfamiliar deploy keys. Earlier Shai-Hulud waves used CI backdoors to keep access.
  4. Block known bad versions now.
    • Add deny-lists in artifact proxies (e.g., npm registry mirrors) and internal policy gates.
    • Pin safe versions until the incident stabilizes.

Medium-term fixes (next few weeks) for your engineering team

  • Eliminate long-lived registry tokens. The attack leveraged stolen or weakly protected maintainer/CI tokens; reducing token lifetime and scope cuts worm propagation.
  • Harden CI/CD. Run builds in isolated runners with minimal secrets; require approvals for workflow changes.
  • Adopt dependency trust controls.
    • Prefer verified publishing / signed releases where available.
    • Add automated checks for sudden owner changes, new install scripts, or unusual publish patterns.

The take-home

Shai-Hulud 2.0 is a credential-stealing worm riding on the npm ecosystem. It spreads through normal installs, targets high-value developer and cloud secrets, and has already hit mainstream packages. The right executive posture is: assume compromise if exposed, rotate secrets fast, and tighten the software supply chain permanently. After last September’s incident, we predicted this would rear its ugly head again. Watch a brief update and warning shared earlier this week at one of our meetings.

Meterian CTO Bruno Bossola shares the growing blast radius and all consumers of NPM must stop it

This is a story under development!

Please keep an eye on this blog page, in the meantime here’s the list of affected packages and versions so far:

Package Malicious version(s)
Package name Affected versions
@accordproject/concerto-analysis 3.24.1
@accordproject/concerto-linter 3.24.1
@accordproject/concerto-linter-default-ruleset 3.24.1
@accordproject/concerto-metamodel 3.12.5
@accordproject/concerto-types 3.24.1
@accordproject/markdown-it-cicero 0.16.26
@accordproject/template-engine 2.7.2
@actbase/css-to-react-native-transform 1.0.3
@actbase/native 0.1.32
@actbase/node-server 1.1.19
@actbase/react-absolute 0.8.3
@actbase/react-daum-postcode 1.0.5
@actbase/react-kakaosdk 0.9.27
@actbase/react-native-actionsheet 1.0.3
@actbase/react-native-devtools 0.1.3
@actbase/react-native-fast-image 8.5.13
@actbase/react-native-kakao-channel 1.0.2
@actbase/react-native-kakao-navi 2.0.4
@actbase/react-native-less-transformer 1.0.6
@actbase/react-native-naver-login 1.0.1
@actbase/react-native-simple-video 1.0.13
@actbase/react-native-tiktok 1.1.3
@afetcan/api 0.0.13
@afetcan/storage 0.0.27
@alexadark/amadeus-api 1.0.4
@alexadark/gatsby-theme-events 1.0.1
@alexadark/gatsby-theme-wordpress-blog 2.0.1
@alexadark/reusable-functions 1.5.1
@alexcolls/nuxt-socket.io 0.0.7|0.0.8
@alexcolls/nuxt-ux 0.6.1|0.6.2
@alexcolls/nuxt-ux 0.6.2|0.6.1
@antstackio/eslint-config-antstack 0.0.3
@antstackio/express-graphql-proxy 0.2.8
@antstackio/graphql-body-parser 0.1.1
@antstackio/json-to-graphql 1.0.3
@antstackio/shelbysam 1.1.7
@aryanhussain/my-angular-lib 0.0.23
@asyncapi/dotnet-rabbitmq-template 1.0.2|1.0.1
@asyncapi/edavisualiser 1.2.2|1.2.1
@asyncapi/go-watermill-template 0.2.76|0.2.77
@asyncapi/java-template 0.3.6|0.3.5
@asyncapi/keeper 0.0.3|0.0.2
@asyncapi/php-template 0.1.2|0.1.1
@asyncapi/python-paho-template 0.2.15|0.2.14
@asyncapi/server-api 0.16.25|0.16.24
@asyncapi/studio 1.0.3|1.0.2
@asyncapi/web-component 2.6.7|2.6.6
@bdkinc/knex-ibmi 0.5.7
@browserbasehq/bb9 1.2.21
@browserbasehq/director-ai 1.0.3
@browserbasehq/mcp 2.1.1
@browserbasehq/mcp-server-browserbase 2.4.2
@browserbasehq/sdk-functions 0.0.4
@browserbasehq/stagehand 3.0.4
@browserbasehq/stagehand-docs 1.0.1
@caretive/caret-cli 0.0.2
@chtijs/eslint-config 1.0.1
@clausehq/flows-step-httprequest 0.1.14
@clausehq/flows-step-jsontoxml 0.1.14
@clausehq/flows-step-mqtt 0.1.14
@clausehq/flows-step-sendgridemail 0.1.14
@clausehq/flows-step-taskscreateurl 0.1.14
@cllbk/ghl 1.3.1
@commute/bloom 1.0.3
@commute/market-data 1.0.2
@commute/market-data-chartjs 2.3.1
@dev-blinq/ai-qa-logic 1.0.19
@dev-blinq/cucumber_client 1.0.738
@dev-blinq/cucumber-js 1.0.131
@dev-blinq/ui-systems 1.0.93
@ensdomains/address-encoder 1.1.5
@ensdomains/blacklist 1.0.1
@ensdomains/buffer 0.1.2
@ensdomains/ccip-read-cf-worker 0.0.4
@ensdomains/ccip-read-dns-gateway 0.1.1
@ensdomains/ccip-read-router 0.0.7
@ensdomains/ccip-read-worker-viem 0.0.4
@ensdomains/content-hash 3.0.1
@ensdomains/curvearithmetics 1.0.1
@ensdomains/cypress-metamask 1.2.1
@ensdomains/dnsprovejs 0.5.3
@ensdomains/dnssec-oracle-anchors 0.0.2
@ensdomains/dnssecoraclejs 0.2.9
@ensdomains/durin 0.1.2
@ensdomains/durin-middleware 0.0.2
@ensdomains/ens-archived-contracts 0.0.3
@ensdomains/ens-avatar 1.0.4
@ensdomains/ens-contracts 1.6.1
@ensdomains/ens-test-env 1.0.2
@ensdomains/ens-validation 0.1.1
@ensdomains/ensjs 4.0.3
@ensdomains/ensjs-react 0.0.5
@ensdomains/eth-ens-namehash 2.0.16
@ensdomains/hackathon-registrar 1.0.5
@ensdomains/hardhat-chai-matchers-viem 0.1.15
@ensdomains/hardhat-toolbox-viem-extended 0.0.6
@ensdomains/mock 2.1.52
@ensdomains/name-wrapper 1.0.1
@ensdomains/offchain-resolver-contracts 0.2.2
@ensdomains/op-resolver-contracts 0.0.2
@ensdomains/react-ens-address 0.0.32
@ensdomains/renewal 0.0.13
@ensdomains/renewal-widget 0.1.10
@ensdomains/reverse-records 1.0.1
@ensdomains/server-analytics 0.0.2
@ensdomains/solsha1 0.0.4
@ensdomains/subdomain-registrar 0.2.4
@ensdomains/test-utils 1.3.1
@ensdomains/thorin 0.6.51
@ensdomains/ui 3.4.6
@ensdomains/unicode-confusables 0.1.1
@ensdomains/unruggable-gateways 0.0.3
@ensdomains/vite-plugin-i18next-loader 4.0.4
@ensdomains/web3modal 1.10.2
@everreal/react-charts 2.0.2
@everreal/react-charts 2.0.1|2.0.2
@everreal/validate-esmoduleinterop-imports 1.4.5
@everreal/validate-esmoduleinterop-imports 1.4.4|1.4.5
@everreal/web-analytics 0.0.2
@everreal/web-analytics 0.0.1|0.0.2
@faq-component/core 0.0.4
@faq-component/react 1.0.1
@fishingbooker/browser-sync-plugin 1.0.5
@fishingbooker/react-loader 1.0.7
@fishingbooker/react-pagination 2.0.6
@fishingbooker/react-raty 2.0.1
@fishingbooker/react-swiper 0.1.5
@hapheus/n8n-nodes-pgp 1.5.1
@hover-design/core 0.0.1
@hover-design/react 0.2.1
@huntersofbook/auth-vue 0.4.2
@huntersofbook/core 0.5.1
@huntersofbook/core-nuxt 0.4.2
@huntersofbook/form-naiveui 0.5.1
@huntersofbook/i18n 0.8.2
@huntersofbook/ui 0.5.1
@hyperlook/telemetry-sdk 1.0.19
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2|0.1.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
@ifings/design-system 4.9.2
@ifings/metatron3 0.1.5
@jayeshsadhwani/telemetry-sdk 1.0.14
@kvytech/cli 0.0.7
@kvytech/components 0.0.2
@kvytech/habbit-e2e-test 0.0.2
@kvytech/medusa-plugin-announcement 0.0.8
@kvytech/medusa-plugin-management 0.0.5
@kvytech/medusa-plugin-newsletter 0.0.5
@kvytech/medusa-plugin-product-reviews 0.0.9
@kvytech/medusa-plugin-promotion 0.0.2
@kvytech/web 0.0.2
@lessondesk/api-client 9.12.2|9.12.3
@lessondesk/api-client 9.12.3|9.12.2
@lessondesk/babel-preset 1.0.1
@lessondesk/electron-group-api-client 1.0.3
@lessondesk/eslint-config 1.4.2
@lessondesk/material-icons 1.0.3
@lessondesk/react-table-context 2.0.4
@lessondesk/schoolbus 5.2.2|5.2.3
@livecms/live-edit 0.0.32
@livecms/nuxt-live-edit 1.9.2
@louisle2/core 1.0.1
@louisle2/cortex-js 0.1.6
@lpdjs/firestore-repo-service 1.0.1
@lui-ui/lui-nuxt 0.1.1
@lui-ui/lui-tailwindcss 0.1.2
@lui-ui/lui-vue 1.0.13
@markvivanco/app-version-checker 1.0.2|1.0.1
@ntnx/passport-wso2 0.0.3
@ntnx/t 0.0.101
@oku-ui/accordion 0.6.2
@oku-ui/alert-dialog 0.6.2
@oku-ui/arrow 0.6.2
@oku-ui/aspect-ratio 0.6.2
@oku-ui/avatar 0.6.2
@oku-ui/checkbox 0.6.3
@oku-ui/collapsible 0.6.2
@oku-ui/collection 0.6.2
@oku-ui/dialog 0.6.2
@oku-ui/direction 0.6.2
@oku-ui/dismissable-layer 0.6.2
@oku-ui/focus-guards 0.6.2
@oku-ui/focus-scope 0.6.2
@oku-ui/hover-card 0.6.2
@oku-ui/label 0.6.2
@oku-ui/menu 0.6.2
@oku-ui/motion 0.4.4
@oku-ui/motion-nuxt 0.2.2
@oku-ui/popover 0.6.2
@oku-ui/popper 0.6.2
@oku-ui/portal 0.6.2
@oku-ui/presence 0.6.2
@oku-ui/primitive 0.6.2
@oku-ui/primitives 0.7.9
@oku-ui/primitives-nuxt 0.3.1
@oku-ui/progress 0.6.2
@oku-ui/provide 0.6.2
@oku-ui/radio-group 0.6.2
@oku-ui/roving-focus 0.6.2
@oku-ui/scroll-area 0.6.2
@oku-ui/separator 0.6.2
@oku-ui/slider 0.6.2
@oku-ui/slot 0.6.2
@oku-ui/switch 0.6.2
@oku-ui/tabs 0.6.2
@oku-ui/toast 0.6.2
@oku-ui/toggle 0.6.2
@oku-ui/toggle-group 0.6.2
@oku-ui/toolbar 0.6.2
@oku-ui/tooltip 0.6.2
@oku-ui/use-composable 0.6.2
@oku-ui/utils 0.6.2
@oku-ui/visually-hidden 0.6.2
@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode 2.0.5
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode 1.1.1
@orbitgtbelgium/orbit-components 1.2.9
@orbitgtbelgium/time-slider 1.0.187
@osmanekrem/bmad 1.0.6
@osmanekrem/error-handler 1.2.2
@pergel/cli 0.11.1
@pergel/module-box 0.6.1
@pergel/module-graphql 0.6.1
@pergel/module-ui 0.0.9
@pergel/nuxt 0.25.5
@posthog/agent 1.24.1
@posthog/ai 7.1.2
@posthog/cli 0.5.15
@posthog/clickhouse 1.7.1
@posthog/core 1.5.6
@posthog/hedgehog-mode 0.0.42
@posthog/icons 0.36.1
@posthog/lemon-ui 0.0.1
@posthog/nextjs-config 1.5.1
@posthog/nuxt 1.2.9
@posthog/piscina 3.2.1
@posthog/plugin-contrib 0.0.6
@posthog/react-rrweb-player 1.1.4
@posthog/rrdom 0.0.31
@posthog/rrweb 0.0.31
@posthog/rrweb-player 0.0.31
@posthog/rrweb-record 0.0.31
@posthog/rrweb-replay 0.0.19
@posthog/rrweb-snapshot 0.0.31
@posthog/rrweb-utils 0.0.31
@posthog/siphash 1.1.2
@posthog/wizard 1.18.1
@postman/aether-icons 2.23.4|2.23.3|2.23.2
@postman/csv-parse 4.0.5|4.0.3|4.0.4
@postman/node-keytar 7.9.6|7.9.4|7.9.5
@postman/tunnel-agent 0.6.7|0.6.6|0.6.5
@pradhumngautam/common-app 1.0.2
@productdevbook/animejs-vue 0.2.1
@productdevbook/auth 0.2.2
@productdevbook/chatwoot 2.0.1
@productdevbook/motion 1.0.4
@productdevbook/ts-i18n 1.4.2
@pruthvi21/use-debounce 1.0.3
@quick-start-soft/quick-document-translator 1.4.2511142126
@quick-start-soft/quick-git-clean-markdown 1.4.2511142126
@quick-start-soft/quick-markdown 1.4.2511142126
@quick-start-soft/quick-markdown-compose 1.4.2506300029
@quick-start-soft/quick-markdown-image 1.4.2511142126
@quick-start-soft/quick-markdown-print 1.4.2511142126
@quick-start-soft/quick-markdown-translator 1.4.2509202331
@quick-start-soft/quick-remove-image-background 1.4.2511142126
@quick-start-soft/quick-task-refine 1.4.2511142126
@relyt/claude-context-core 0.1.1
@sameepsi/sor 1.0.3
@sameepsi/sor2 2.0.2
@seezo/sdr-mcp-server 0.0.5
@seung-ju/next 0.0.2
@seung-ju/openapi-generator 0.0.4
@seung-ju/react-hooks 0.0.2
@seung-ju/react-native-action-sheet 0.2.1
@silgi/better-auth 0.8.1
@silgi/drizzle 0.8.4
@silgi/ecosystem 0.7.6
@silgi/graphql 0.7.15
@silgi/module-builder 0.8.8
@silgi/openapi 0.7.4
@silgi/permission 0.6.8
@silgi/ratelimit 0.2.1
@silgi/scalar 0.6.2
@silgi/yoga 0.7.1
@sme-ui/aoma-vevasound-metadata-lib 0.1.3
@strapbuild/react-native-date-time-picker 2.0.4
@strapbuild/react-native-perspective-image-cropper 0.4.15
@strapbuild/react-native-perspective-image-cropper-2 0.4.7
@strapbuild/react-native-perspective-image-cropper-poojan31 0.4.6
@suraj_h/medium-common 1.0.5
@thedelta/eslint-config 1.0.2
@tiaanduplessis/json 2.0.2|2.0.3
@tiaanduplessis/json 2.0.3|2.0.2
@tiaanduplessis/react-progressbar 1.0.1|1.0.2
@tiaanduplessis/react-progressbar 1.0.2|1.0.1
@trackstar/angular-trackstar-link 1.0.2
@trackstar/react-trackstar-link 2.0.21
@trackstar/react-trackstar-link-upgrade 1.1.10
@trackstar/test-angular-package 0.0.9
@trackstar/test-package 1.1.5
@trefox/sleekshop-js 0.1.6
@trigo/atrix 7.0.1
@trigo/atrix-elasticsearch 2.0.1
@trigo/atrix-postgres 1.0.3
@trigo/atrix-pubsub 4.0.3
@trigo/atrix-soap 1.0.2
@trigo/atrix-swagger 3.0.1
@trigo/bool-expressions 4.1.3
@trigo/eslint-config-trigo 3.3.1
@trigo/fsm 3.4.2
@trigo/hapi-auth-signedlink 1.3.1
@trigo/pathfinder-ui-css 0.1.1
@trigo/trigo-hapijs 5.0.1
@trpc-rate-limiter/cloudflare 0.1.4
@trpc-rate-limiter/hono 0.1.4
@varsityvibe/api-client 1.3.36|1.3.37
@varsityvibe/utils 5.0.6
@varsityvibe/validation-schemas 0.6.7|0.6.8
@viapip/eslint-config 0.2.4
@vishadtyagi/full-year-calendar 0.1.11
@voiceflow/alexa-types 2.15.61
@voiceflow/alexa-types 2.15.60|2.15.61
@voiceflow/anthropic 0.4.4|0.4.5
@voiceflow/api-sdk 3.28.59
@voiceflow/api-sdk 3.28.58|3.28.59
@voiceflow/backend-utils 5.0.1|5.0.2
@voiceflow/backend-utils 5.0.2|5.0.1
@voiceflow/base-types 2.136.2|2.136.3
@voiceflow/base-types 2.136.3|2.136.2
@voiceflow/body-parser 1.21.2|1.21.3
@voiceflow/chat-types 2.14.58|2.14.59
@voiceflow/chat-types 2.14.59|2.14.58
@voiceflow/circleci-config-sdk-orb-import 0.2.1|0.2.2
@voiceflow/commitlint-config 2.6.1
@voiceflow/commitlint-config 2.6.2|2.6.1
@voiceflow/common 8.9.1|8.9.2
@voiceflow/default-prompt-wrappers 1.7.3|1.7.4
@voiceflow/default-prompt-wrappers 1.7.4|1.7.3
@voiceflow/dependency-cruiser-config 1.8.11|1.8.12
@voiceflow/dependency-cruiser-config 1.8.12|1.8.11
@voiceflow/dtos-interact 1.40.1|1.40.2
@voiceflow/dtos-interact 1.40.2|1.40.1
@voiceflow/encryption 0.3.2|0.3.3
@voiceflow/encryption 0.3.3|0.3.2
@voiceflow/eslint-config 7.16.4|7.16.5
@voiceflow/eslint-plugin 1.6.1|1.6.2
@voiceflow/eslint-plugin 1.6.2|1.6.1
@voiceflow/exception 1.10.1|1.10.2
@voiceflow/exception 1.10.2|1.10.1
@voiceflow/fetch 1.11.1|1.11.2
@voiceflow/general-types 3.2.22|3.2.23
@voiceflow/general-types 3.2.23|3.2.22
@voiceflow/git-branch-check 1.4.3
@voiceflow/git-branch-check 1.4.4|1.4.3
@voiceflow/google-dfes-types 2.17.12|2.17.13
@voiceflow/google-types 2.21.13
@voiceflow/google-types 2.21.12|2.21.13
@voiceflow/husky-config 1.3.1
@voiceflow/husky-config 1.3.1|1.3.2
@voiceflow/logger 2.4.2|2.4.3
@voiceflow/logger 2.4.3|2.4.2
@voiceflow/metrics 1.5.1|1.5.2
@voiceflow/metrics 1.5.2|1.5.1
@voiceflow/natural-language-commander 0.5.2|0.5.3
@voiceflow/nestjs-common 2.75.2|2.75.3
@voiceflow/nestjs-mongodb 1.3.1|1.3.2
@voiceflow/nestjs-rate-limit 1.3.2|1.3.3
@voiceflow/nestjs-rate-limit 1.3.3|1.3.2
@voiceflow/nestjs-redis 1.3.1|1.3.2
@voiceflow/nestjs-timeout 1.3.1
@voiceflow/nestjs-timeout 1.3.1|1.3.2
@voiceflow/npm-package-json-lint-config 1.1.1
@voiceflow/npm-package-json-lint-config 1.1.1|1.1.2
@voiceflow/openai 3.2.2|3.2.3
@voiceflow/pino 6.11.3|6.11.4
@voiceflow/pino 6.11.4|6.11.3
@voiceflow/pino-pretty 4.4.1|4.4.2
@voiceflow/pino-pretty 4.4.2|4.4.1
@voiceflow/prettier-config 1.10.1
@voiceflow/prettier-config 1.10.2|1.10.1
@voiceflow/react-chat 1.65.4
@voiceflow/react-chat 1.65.4|1.65.3
@voiceflow/runtime 1.29.1|1.29.2
@voiceflow/runtime-client-js 1.17.2|1.17.3
@voiceflow/runtime-client-js 1.17.3|1.17.2
@voiceflow/sdk-runtime 1.43.1|1.43.2
@voiceflow/sdk-runtime 1.43.2|1.43.1
@voiceflow/secrets-provider 1.9.2
@voiceflow/secrets-provider 1.9.3|1.9.2
@voiceflow/semantic-release-config 1.4.1
@voiceflow/semantic-release-config 1.4.2|1.4.1
@voiceflow/serverless-plugin-typescript 2.1.7|2.1.8
@voiceflow/slate-serializer 1.7.3|1.7.4
@voiceflow/slate-serializer 1.7.4|1.7.3
@voiceflow/stitches-react 2.3.2|2.3.3
@voiceflow/stitches-react 2.3.3|2.3.2
@voiceflow/storybook-config 1.2.2|1.2.3
@voiceflow/stylelint-config 1.1.1
@voiceflow/stylelint-config 1.1.1|1.1.2
@voiceflow/test-common 2.1.1|2.1.2
@voiceflow/tsconfig 1.12.1
@voiceflow/tsconfig 1.12.2|1.12.1
@voiceflow/tsconfig-paths 1.1.4|1.1.5
@voiceflow/tsconfig-paths 1.1.5|1.1.4
@voiceflow/utils-designer 1.74.20
@voiceflow/utils-designer 1.74.19|1.74.20
@voiceflow/verror 1.1.4
@voiceflow/verror 1.1.5|1.1.4
@voiceflow/vite-config 2.6.2|2.6.3
@voiceflow/vitest-config 1.10.2|1.10.3
@voiceflow/vitest-config 1.10.3|1.10.2
@voiceflow/voice-types 2.10.58|2.10.59
@voiceflow/voice-types 2.10.59|2.10.58
@voiceflow/voiceflow-types 3.32.45|3.32.46
@voiceflow/widget 1.7.18|1.7.19
@vucod/email 0.0.3
@zapier/ai-actions 0.1.20|0.1.19|0.1.18
@zapier/babel-preset-zapier 6.4.2|6.4.1|6.4.3
@zapier/browserslist-config-zapier 1.0.4|1.0.3|1.0.5
@zapier/secret-scrubber 1.1.5|1.1.4|1.1.3
02-echo 0.0.7
ai-crowl-shield 1.0.7
arc-cli-fc 1.0.1
asciitranslator 1.0.3
asyncapi-preview 1.0.2|1.0.1
atrix 1.0.1
automation_model 1.0.491
avvvatars-vue 1.1.2
axios-builder 1.2.1
axios-cancelable 1.0.1|1.0.2
axios-cancelable 1.0.2|1.0.1
axios-timed 1.0.1|1.0.2
axios-timed 1.0.2|1.0.1
barebones-css 1.1.3|1.1.4
barebones-css 1.1.4|1.1.3
benmostyn-frame-print 1.0.1
best_gpio_controller 1.0.10
bestgpiocontroller 1.0.10
better-auth-nuxt 0.0.10
bidirectional-adapter 1.2.2|1.2.3|1.2.4
bidirectional-adapter 1.2.2|1.2.4|1.2.5|1.2.3
blinqio-executions-cli 1.0.41
blob-to-base64 1.0.3
buffered-interpolation-babylon6 0.2.8
bun-plugin-httpfile 0.1.1
bytecode-checker-cli 1.0.11|1.0.8|1.0.9|1.0.10
bytes-to-x 1.0.1
calc-loan-interest 1.0.4
capacitor-plugin-apptrackingios 0.0.21
capacitor-plugin-purchase 0.1.1
capacitor-plugin-scgssigninwithgoogle 0.0.5
capacitor-purchase-history 0.0.10
capacitor-voice-recorder-wav 6.0.3
ceviz 0.0.5
chrome-extension-downloads 0.0.3|0.0.4
claude-token-updater 1.0.3
coinmarketcap-api 3.1.2|3.1.3
coinmarketcap-api 3.1.3|3.1.2
colors-regex 2.0.1
command-irail 0.5.4
compare-obj 1.1.1|1.1.2
composite-reducer 1.0.2|1.0.3|1.0.4|1.0.5
composite-reducer 1.0.4|1.0.3|1.0.2|1.0.5
count-it-down 1.0.1|1.0.2
count-it-down 1.0.2|1.0.1
cpu-instructions 0.0.14
create-director-app 0.1.1
create-glee-app 0.2.3|0.2.2
create-hardhat3-app 1.1.4|1.1.3|1.1.1|1.1.2
create-silgi 0.3.1
crypto-addr-codec 0.1.9
css-dedoupe 0.1.2
csv-tool-cli 1.2.1
dashboard-empty-state 1.0.3
designstudiouiux 1.0.1
devstart-cli 1.0.6
dialogflow-es 1.1.4|1.1.3|1.1.1|1.1.2
discord-bot-server 0.1.2
docusaurus-plugin-vanilla-extract 1.0.3
dont-go 1.1.2
dotnet-template 0.0.3|0.0.4
drop-events-on-property-plugin 0.0.2
easypanel-sdk 0.3.2
email-deliverability-tester 1.1.1
enforce-branch-name 1.1.3
esbuild-plugin-brotli 0.2.1
esbuild-plugin-eta 0.1.1
esbuild-plugin-httpfile 0.4.1
eslint-config-nitpicky 4.0.1
eslint-config-trigo 22.0.2
eslint-config-zeallat-base 1.0.4
ethereum-ens 0.8.1
evm-checkcode-cli 1.0.15|1.0.12|1.0.13|1.0.14
exact-ticker 0.3.5
expo-audio-session 0.2.1
expo-router-on-rails 0.0.4
express-starter-template 1.0.10
expressos 1.1.3
fat-fingered 1.0.1|1.0.2
fat-fingered 1.0.2|1.0.1
feature-flip 1.0.1|1.0.2
feature-flip 1.0.2|1.0.1
firestore-search-engine 1.2.3
fittxt 1.0.2|1.0.3
fittxt 1.0.3|1.0.2
flapstacks 1.0.1|1.0.2
flapstacks 1.0.2|1.0.1
flatten-unflatten 1.0.1|1.0.2
flatten-unflatten 1.0.2|1.0.1
formik-error-focus 2.0.1
formik-store 1.0.1
frontity-starter-theme 1.0.1
fuzzy-finder 1.0.5|1.0.6
gate-evm-check-code2 2.0.3|2.0.4|2.0.5|2.0.6
gate-evm-tools-test 1.0.7|1.0.8|1.0.5|1.0.6
gatsby-plugin-antd 2.2.1
gatsby-plugin-cname 1.0.1|1.0.2
gatsby-plugin-cname 1.0.2|1.0.1
generator-meteor-stock 0.1.6
generator-ng-itobuz 0.0.15
get-them-args 1.3.3
github-action-for-generator 2.1.28
github-action-for-generator 2.1.28|2.1.27
gitsafe 1.0.5
go-template 0.1.8|0.1.9
gulp-inject-envs 1.2.1|1.2.2
gulp-inject-envs 1.2.2|1.2.1
haufe-axera-api-client 0.0.2
haufe-axera-api-client 0.0.1|0.0.2
hope-mapboxdraw 0.1.1
hopedraw 1.0.3
hover-design-prototype 0.0.5
httpness 1.0.2|1.0.3
httpness 1.0.3|1.0.2
hyper-fullfacing 1.0.3
hyperterm-hipster 1.0.7
ids-css 1.5.1
ids-enterprise-mcp-server 0.0.2
ids-enterprise-ng 20.1.6
ids-enterprise-typings 20.1.6
image-to-uri 1.0.1|1.0.2
image-to-uri 1.0.2|1.0.1
insomnia-plugin-random-pick 1.0.4
invo 0.2.2
iron-shield-miniapp 0.0.2
ito-button 8.0.3
itobuz-angular 0.0.1
itobuz-angular-auth 8.0.11
itobuz-angular-button 8.0.11
jacob-zuma 1.0.1|1.0.2
jacob-zuma 1.0.2|1.0.1
jaetut-varit-test 1.0.2
jan-browser 0.13.1
jquery-bindings 1.1.2|1.1.3
jquery-bindings 1.1.3|1.1.2
jsonsurge 1.0.7
just-toasty 1.7.1
kill-port 2.0.2|2.0.3
kill-port 2.0.3|2.0.2
kinetix-default-token-list 1.0.5
kns-error-code 1.0.8
korea-administrative-area-geo-json-util 1.0.7
kwami 1.5.9|1.5.10
lang-codes 1.0.1|1.0.2
lang-codes 1.0.2|1.0.1
license-o-matic 1.2.1|1.2.2
license-o-matic 1.2.2|1.2.1
lint-staged-imagemin 1.3.1|1.3.2
lite-serper-mcp-server 0.2.2
lui-vue-test 0.70.9
luno-api 1.2.3
m25-transaction-utils 1.1.16
manual-billing-system-miniapp-api 1.3.1
medusa-plugin-announcement 0.0.3
medusa-plugin-logs 0.0.17
medusa-plugin-momo 0.0.68
medusa-plugin-product-reviews-kvy 0.0.4
medusa-plugin-zalopay 0.0.40
mod10-check-digit 1.0.1
mon-package-react-typescript 1.0.1
my-saeed-lib 0.1.1
n8n-nodes-tmdb 0.5.1
n8n-nodes-vercel-ai-sdk 0.1.7
n8n-nodes-viral-app 0.2.5
nanoreset 7.0.1|7.0.2
nanoreset 7.0.2|7.0.1
next-circular-dependency 1.0.2|1.0.3
next-circular-dependency 1.0.3|1.0.2
next-simple-google-analytics 1.1.1|1.1.2
next-styled-nprogress 1.0.4|1.0.5
ngx-useful-swiper-prosenjit 9.0.2
ngx-wooapi 12.0.1
nitro-graphql 1.5.12
nitro-kutu 0.1.1
nitrodeploy 1.0.8
nitroping 0.1.1
normal-store 1.3.1|1.3.2|1.3.3
normal-store 1.3.1|1.3.4|1.3.3|1.3.2
nuxt-keycloak 0.2.2
obj-to-css 1.0.2|1.0.3
obj-to-css 1.0.3|1.0.2
okta-react-router-6 5.0.1
open2internet 0.1.1
orbit-boxicons 2.1.3
orbit-nebula-draw-tools 1.0.10
orbit-nebula-editor 1.0.2
orbit-soap 0.43.13
orchestrix 12.1.2
package-tester 1.0.1
parcel-plugin-asset-copier 1.1.2|1.1.3
parcel-plugin-asset-copier 1.1.3|1.1.2
pdf-annotation 0.0.2
pergel 0.13.2
pergeltest 0.0.25
piclite 1.0.1
pico-uid 1.0.3|1.0.4
pico-uid 1.0.4|1.0.3
pkg-readme 1.1.1
poper-react-sdk 0.1.2
posthog-docusaurus 2.0.6
posthog-js 1.297.3
posthog-node 4.18.1|5.13.3|5.11.3
posthog-plugin-hello-world 1.0.1
posthog-react-native 4.11.1|4.12.5
posthog-react-native-session-replay 1.2.2
prime-one-table 0.0.19
prompt-eng 1.0.50
puny-req 1.0.3
quickswap-ads-list 1.0.33
quickswap-default-staking-list 1.0.11
quickswap-default-staking-list-address 1.0.55
quickswap-router-sdk 1.0.1
quickswap-sdk 3.0.44
quickswap-smart-order-router 1.0.1
quickswap-token-lists 1.0.3
quickswap-v2-sdk 2.0.1
ra-auth-firebase 1.0.3
ra-data-firebase 1.0.8|1.0.7
react-component-taggers 0.1.9
react-data-to-export 1.0.1
react-element-prompt-inspector 0.1.18
react-favic 1.0.2
react-hook-form-persist 3.0.1|3.0.2
react-hook-form-persist 3.0.2|3.0.1
react-jam-icons 1.0.1|1.0.2
react-jam-icons 1.0.2|1.0.1
react-keycloak-context 1.0.8|1.0.9
react-library-setup 0.0.6
react-linear-loader 1.0.2
react-micromodal.js 1.0.1|1.0.2
react-micromodal.js 1.0.2|1.0.1
react-native-datepicker-modal 1.3.1|1.3.2
react-native-email 2.1.1|2.1.2
react-native-fetch 2.0.1|2.0.2
react-native-get-pixel-dimensions 1.0.1|1.0.2
react-native-get-pixel-dimensions 1.0.2|1.0.1
react-native-google-maps-directions 2.1.2
react-native-jam-icons 1.0.1|1.0.2
react-native-jam-icons 1.0.2|1.0.1
react-native-log-level 1.2.1|1.2.2
react-native-log-level 1.2.2|1.2.1
react-native-modest-checkbox 3.3.1
react-native-modest-storage 2.1.1
react-native-phone-call 1.2.1|1.2.2
react-native-phone-call 1.2.2|1.2.1
react-native-retriable-fetch 2.0.1|2.0.2
react-native-use-modal 1.0.3
react-native-view-finder 1.2.1|1.2.2
react-native-view-finder 1.2.2|1.2.1
react-native-websocket 1.0.3|1.0.4
react-native-websocket 1.0.4|1.0.3
react-native-worklet-functions 3.3.3
react-packery-component 1.0.3
react-qr-image 1.1.1
react-scrambled-text 1.0.4
rediff 1.0.5
rediff-viewer 0.0.7
redux-router-kit 1.2.2|1.2.4|1.2.3
revenuecat 1.0.1
rollup-plugin-httpfile 0.2.1
sa-company-registration-number-regex 1.0.1|1.0.2
sa-company-registration-number-regex 1.0.2|1.0.1
sa-id-gen 1.0.4|1.0.5
samesame 1.0.3
scgs-capacitor-subscribe 1.0.11
scgsffcreator 1.0.5
schob 1.0.3
set-nested-prop 2.0.1|2.0.2
shelf-jwt-sessions 0.1.2
shell-exec 1.1.3|1.1.4
shell-exec 1.1.4|1.1.3
shinhan-limit-scrap 1.0.3
silgi 0.43.30
simplejsonform 1.0.1
skills-use 0.1.2|0.1.1
solomon-api-stories 1.0.2
solomon-v3-stories 1.15.6
solomon-v3-ui-wrapper 1.6.1
soneium-acs 1.0.1
sort-by-distance 2.0.1
south-african-id-info 1.0.2
stat-fns 1.0.1
stoor 2.3.2
sufetch 0.4.1
super-commit 1.0.1
svelte-autocomplete-select 1.1.1
svelte-toasty 1.1.2|1.1.3
svelte-toasty 1.1.3|1.1.2
tanstack-shadcn-table 1.1.5
tavily-module 1.0.1
tcsp 2.0.2
tcsp-draw-test 1.0.5
tcsp-test-vd 2.4.4
template-lib 1.1.3|1.1.4
template-lib 1.1.4|1.1.3
template-micro-service 1.0.2|1.0.3
template-micro-service 1.0.3|1.0.2
tenacious-fetch 2.3.2|2.3.3
tenacious-fetch 2.3.3|2.3.2
test-foundry-app 1.0.4|1.0.3|1.0.2|1.0.1
test-hardhat-app 1.0.4|1.0.3|1.0.2|1.0.1
test23112222-api 1.0.1
tiaan 1.0.2
tiptap-shadcn-vue 0.2.1
token.js-fork 0.7.32
toonfetch 0.3.2
trigo-react-app 4.1.2
ts-relay-cursor-paging 2.1.1
typeface-antonio-complete 1.0.5
typefence 1.2.2|1.2.3
typeorm-orbit 0.2.27
unadapter 0.1.3
undefsafe-typed 1.0.4
undefsafe-typed 1.0.4|1.0.3
unemail 0.3.1
uniswap-router-sdk 1.6.2
uniswap-smart-order-router 3.16.26
uniswap-test-sdk-core 4.0.8
unsearch 0.0.3
uplandui 0.5.4
upload-to-play-store 1.0.1|1.0.2
upload-to-play-store 1.0.2|1.0.1
url-encode-decode 1.0.1|1.0.2
url-encode-decode 1.0.2|1.0.1
use-unsaved-changes 1.0.9
v-plausible 1.2.1
valid-south-african-id 1.0.3
valuedex-sdk 3.0.5
vf-oss-template 1.0.4|1.0.3|1.0.2|1.0.1
victoria-wallet-constants 0.1.1
victoria-wallet-core 0.1.1
victoria-wallet-type 0.1.1
victoria-wallet-utils 0.1.1
victoria-wallet-validator 0.1.1
victoriaxoaquyet-wallet-core 0.2.1
vite-plugin-httpfile 0.2.1
vue-browserupdate-nuxt 1.0.5
wallet-evm 0.3.1
wallet-type 0.1.1
web-scraper-mcp 1.1.4
web-types-htmx 0.1.1
web-types-lit 0.1.1
webpack-loader-httpfile 0.2.1
wellness-expert-ng-gallery 5.1.1
wenk 1.0.9|1.0.10
zapier-async-storage 1.0.3|1.0.2|1.0.1
zapier-platform-cli 18.0.4|18.0.3|18.0.2
zapier-platform-core 18.0.4|18.0.3|18.0.2
zapier-platform-schema 18.0.4|18.0.3|18.0.2
zapier-scripts 7.8.3|7.8.4
zuper-cli 1.0.1
zuper-sdk 1.0.57
zuper-stream 2.0.9

More information from the world

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

3 Lessons From APIdays London: Why OSS Visibility Matters

viviandufour, , Leave a comment

Open source powers most modern software and expands your attack surface. At APIdays London, Meterian CTO Bruno Bossola showed how a crafted JSON request can trigger remote code execution when a vulnerable dependency slips into a service. 

The key takeaway was that without visibility and fast remediation, vulnerabilities ride your software supply chain into production.

1) Exploits start upstream, not in production

Meterian’s live demo used a known jackson-databind flaw to execute code via a JSON payload. Incidents like the Apache Struts 2 breaches proved the same point years ago: attackers go where libraries are ubiquitous and exposure is public-facing.

Teams still discover many issues late, inside CI/CD or after release. By then, the vulnerable package is woven into multiple services and rollbacks get expensive.

What to change

  • Shift security into the IDE so developers see and fix dependency risk as they code.
  • Add pre-push and CI checks to block known-bad versions before they land on main.

2) You can’t patch what you can’t see

Most applications are a small slice of proprietary code on top of a large stack of third-party packages. New CVEs appear daily across NVD, OSV, and GitHub Advisories. If you don’t know exactly which versions you run—including transitives—you can’t assess blast radius or prioritise patches.


What good visibility looks like

  • Keep an up-to-date SBOM for every build (e.g., CycloneDX) and ingest vendor SBOMs.
  • Continuously monitor your dependency graph against live feeds and internal policy.
  • Prioritise RCEs and internet-exposed paths first, then reduce debt in lower-risk services.

3) Make remediation fast and routine

In the demo, upgrading a vulnerable component inside the IDE removed the exploit path in seconds. That’s the experience to aim for: actionable guidance at the moment of discovery, with one-click upgrades where possible. Speed reduces MTTR, avoids regressions, and prevents risk from spreading across repos.

Operationalise speed

  • Standardise one-click upgrades and automated PRs for safe versions.
  • Set patch SLAs by severity and exposure (e.g., 24–72 hours for critical RCEs).
  • Track MTTR, exception waivers, and policy drift to guide platform investments.

A simple workflow that works

  • IDE (shift left): real-time vulnerability assessment of manifests and transitive dependencies, with suggested fixes developers can apply immediately.
  • Pre-push: Git proxy hooks to enforce policy and block known-bad versions.
  • CI/CD: SCA checks per build, SBOM generation/signing, and fail-the-build on criticals.
  • Post-build: continuous monitoring of deployed SBOMs against new advisories; targeted rollouts for high-risk upgrades.
  • Governance: clear patch SLAs, exception process, and regular supply-chain reporting to leadership.

Bottom line

  • Exploit paths are simple; dependency graphs are not. Treat open source security as a first-class discipline.
  • Visibility is non-negotiable. If you can’t list it, you can’t fix it.
  • Shift left so the fastest path becomes the secure path—inside the IDE, at pre-push, and in CI.

Meterian’s  APIdays demo made it clear: build visibility, shorten the distance from detection to fix, and your software supply chain becomes measurably safer.

3 Lessons From APIdays London: Why OSS Visibility Matters

From Factory Floors to Software Stacks: Why OSS Risk Now Mirrors Physical Supply Chain Threats

viviandufourLeave a comment

Author: Rod Cobain • 5 min read

In the original piece, Mike Dwyer painted a vivid picture: Manufacturing Supply Chains Are No Longer Just Mechanical or Logistical Systems, they are deeply entwined digital ecosystems, where each ERP module, IoT-enabled actuator, and tier-2 supplier nodes can become an entry point for cyber threats. Logistics Matters Today, I want to push the conversation further: the open source software (OSS) layer now acts like a silent “sub-supplier” embedded within your tech stack, and like any hidden supply risk, it demands boardroom attention, not just the care of the development team. The risk of ignoring this is not just to your business but that of your customer and their suppliers.

Recasting Mike Dwyer: Resilience Is About More Than Hardware

The core message from Mike remains pivotal:

  • Cyber risk is business risk, it must be integrated across operations, procurement, R&D and logistics. How many times does this need to be repeated?
  • Legacy point solutions are no longer sufficient, resilience must be designed globally across tiers. This is a leadership situation.
  • Next-generation supply chains rely on intelligence, visibility, and agility,  but every “smart” layer you add is a new attack surface.

What often goes unsaid,  and is less visible to many manufacturers,  is how much of the “smarts” in these systems is built on open source software components. Every subsystem, from sensor drivers to data analytics modules,  often leverages OSS libraries. Thus, the same supply chain logic Mike describes must apply internally: your software dependencies are now your internal “suppliers.”

Meterian’s Warning: OSS Is Not Free from Risk. It’s a Source of Escalation Regardless of the business Size or Sector

Escalation Through the OSS Layer: A Multi-Tier Threat Model

Let’s examine how OSS risk can escalate, step by step, through any business sector:

  1. Developer/Subsystem Level
     A team integrates a third-party open source library (e.g. for analytics, messaging, or edge compute). Unknown to them, one of its transitive dependencies includes a known CVE.
     → That module becomes a foothold vulnerable to exploitation.
  2. Application/Subsystem Aggregation
     The vulnerable component is embedded in a subsystem (e.g. quality tracking, process control) that exposes APIs or networked endpoints. Attackers exploit the library flaw to gain code execution or escalate privileges.
     → What was a discreet bug becomes a path into a critical sub-system.
  3. Platform / Middleware / Integration Layer
     Multiple subsystems feed into central integration layers (e.g. MES, orchestration, data middleware). A malicious actor moved laterally from one compromised subsystem into the integration fabric.
     → The exploit travels across domains, bridging OT/IT boundaries.
  4. Control Systems / OT / Physical Assets
     From the integration layer, attackers may reach OT systems controlling PLCs, robotics, or sensors. Here lies real operational impact, production halts, manipulated outputs, or safety risks.
     → The breach translates into physical damage or downtime.
  5. Supply Chain / Partner Ecosystem
     If that platform is shared, or upstream/downstream partners rely on shared components, the exploit can spread further. A single OSS vulnerability could cascade throughout the partner network.
     → The domain of the breach finally becomes systemic, affecting multiple actors.

At each layer, the “supplier” is the embedded code you didn’t write, and if you haven’t been continuously verifying its integrity, the risk is already live.

Practical Steps: Embedding OSS Governance into Your Resilience Strategy

To fuse Mike Dwyer’s vision and Meterian’s warnings into actionable posture, here are recommendations:

FocusActions
Treat OSS like any other supplierMaintain an SBOM (software bill of materials) for all systems. Demand “security assurances” (e.g. scans, patches) from internal and third-party teams.
Integrate continuous SCA / vulnerability scanningEmbed tools like Meterian (or similar) into CI/CD pipelines such that builds with failing security scores are automatically flagged or blocked.
Prioritize remediation, not just detectionUse auto-remediation where possible, or triage by threat score, to avoid alert fatigue and ensure action. Meterian helps with guided upgrade paths.
Cross-functional awareness & trainingEmpower developers, ops, procurement, and leadership with visibility into OSS risk, and grant them the agency to act.
Threat modelling spanning software supply chainExtend your existing supply chain risk models to include internal “supplier layers” (OSS, SDKs) as nodes in your attack graphs.
Incident playbooks that assume internal code riskIn response planning, simulate OSS vulnerability scenarios, not just network intrusion, because in many modern attacks, the initial vector is a library exploit.

Final Thought: Resilience Demands Depth, Not Just Perimeter

Mike Dwyer’s assertion remains apt: supply chain security is business security. But the conversation must now extend inward: the OSS layer, once viewed as a cost-saver or innovation enabler, is a core battleground. Its risks escalate upward. A vulnerability at the bottom can ripple all the way to the executive level, halting production lines or worse.

It’s time to shift from reactive patching to anticipatory governance. Treat code like any other critical supplier, inspect it, test it, govern it, and don’t let your next downtime be the moment you realize the invisible layer was your greatest weakness. Are you aware that the UK Cyber Framework is in the spotlight and is seen as the standard to follow?

Stop ignoring the silent supplier. It’s time to manage your Open Source Risk in the modern supply chain and manufacturing tech stack. 

From Factory Floors to Software Stacks: Why OSS Risk Now Mirrors Physical Supply Chain Threats

Closing the Cyber Insurance Gap

viviandufourLeave a comment

Why Open-Source Scanning & Monitoring Are the Real Safety Net

3–4 minutes

Cyber insurance is the latest addition to the arsenal of tools in the fight against cyber-attacks, alongside Cyber Essentials and Pen Testing. Both in the business world and private life, we rely on insurance to cover day to day events  that disrupt our lives, but that safety net does not always meet expectations. The recent experiences of Jaguar Land Rover and the Co-op prove what many risk leaders already suspect: today’s cyber policies are riddled with exclusions and caveats that leave businesses exposed when it matters most.

In 2025 alone, we’ve seen:

Jaguar Land Rover (JLR) suffered a crippling cyberattack in September, shutting down production lines and disrupting suppliers worldwide.

  • Without a finalised cyber insurance policy, JLR is left absorbing the financial and operational fallout.
  • The Co-op, still reeling from its April cyber incident, disclose £206 million in lost revenue and an £80 million operating profit hit– much of which fell outside traditional insurance coverage.

Both stories highlight the same painful truth: insurance pays after the damage, if at all. Prevention pays every single time

A group of professionals seated around a conference table analyzing data on laptops and monitors, with red warning graphics displayed, emphasizing the message about cyber insurance and open-source monitoring.

The Fine Print of Cyber Insurance: What’s Not Covered

Insurers are increasingly cautious, excluding or limiting coverage in ways that reduce meaningful protection:

  • State-backed exclusions: Attacks deemed “nation-state” or “warlike” are carved out, leaving businesses to shoulder catastrophic losses.
  • Supply-chain blind spots: Most policies cover only direct IT damage, not the ripple effects when suppliers, logistics providers, or cloud vendors go dark.
  • Sublimits & carve-outs: Crisis PR, forensic costs, and even some business interruption claims often fall under restrictive sublimits.
  • Attribution battles: Proving causation can delay payouts for months, while revenue, reputation, and customer trust evaporate in days.

Why Open-Source Scanning & Monitoring Changes the Game

Insurance alone is not a resilience strategy. The real advantage comes from detecting, patching, and preventing threats before they escalate into claims. That’s where open-source scanning and monitoring deliver unparalleled value:

  • Transparency at scale: Unlike closed systems, open-source tools are frequently reviewed, tested, and enhanced by global communities, which means vulnerabilities have greater probability to be spotted and addressed by a larger community before they can be exploited.
  • Supply-chain visibility: Open-source monitoring illuminates risks across your ecosystem, from third-party code to vendor dependencies, directly addressing the blind spots excluded by insurance policies.
  • Cost-effective coverage: Deploying open-source scanning costs a fraction of insurance premiums, yet continuously reduces exposure, lowering both the frequency and severity of incidents.
  • Proactive compliance: Continuous monitoring demonstrates active governance, satisfying regulators, insurers, and boards while strengthening claims positions if an event does occur.
  • Actionable insights, not afterthoughts: Real-time alerts allow IT and security teams to act before attackers exploit weaknesses–something insurance simply can’t offer that.

Case Studies Reinforced: What JLR & Co-op Teach Us

  • Jaguar Land Rover’s disruption shows how missing insurance leaves organisations financially stranded. But even if cover had been in place, insurers likely would have contested or capped payouts under supply-chain or nation-state exclusions. Open-source monitoring could have identified weak points in advance, preventing stoppages before they cascaded through factories.
  • Illustrating the £206 million scale of business interruption, the Co-op’s loss shows that continuous monitoring would have been a better defense. Closing exploited vulnerabilities early would have shrunk the financial damage and allowed the company to bypass the time-consuming and ultimately low-yield fight over insurance claims.

Industry Recommendation: Build a Dual Shield

The modern cyber risk landscape demands a two-pronged defence.  This means having insurance to handle financial aftershocks, and moreover strategically deploying open-source scanning and monitoring to achieve real-time resilience by closing the specific exposure gaps that insurance explicitly leaves open.

In 2025, the winners won’t be those with the biggest insurance policy, but those who combine smart financial protection with relentless, transparent, and scalable monitoring.

Open-source scanning is far beyond a technical choice; it is a strategic investment. It empowers boards, reassures investors, and proves to regulators and customers that resilience is a measurable commitment, not just a buzzword.

Don’t just insure your cyber risk.  Shrink it–and maximise your operational stability.

Closing the Cyber Insurance Gap