Uncategorized

PRESS RELEASE Meterian Issues Public Warning to UK Public Sector Following Recent Cyber Attacks on London Councils

viviandufourLeave a comment

London, UK — Dec 4, 2025


Meterian, a UK-based application security leader, today acknowledges the series of cyber attacks that have recently impacted several London councils, causing significant disruption to public services and exposing ongoing vulnerabilities within local government systems.

These attacks follow a prediction made earlier this year by Bruno Bossola, Meterian’s Chief Technology Officer, who accurately forecast the emergence of the supply-chain-based cyber threat that went on to disrupt organisations across multiple sectors. His analysis has now identified indicators of a new, more severe wave of attacks on the horizon, with public sector organisations likely to be primary targets due to their critical role and often complex digital estates.

“Public services are under unprecedented pressure,” said Bruno Bossola. “Our threat intelligence suggests that the recent breaches are only the beginning. A second, more sophisticated attack vector is emerging, and public sector organisations along with the Supply Chain must act now to strengthen their application security and supply chain defences.”

In response to the escalating threat environment, Meterian is extending support to all UK public sector organisations by offering complimentary trial access to its automated risk-scanning tool. This initiative aims to help councils, NHS Trusts, government departments, and other public bodies quickly identify vulnerabilities within their software supply chains and critical applications before attackers exploit them.

Through proactive, automated detection, repair, and continuous monitoring, Meterian provides organisations with an early-warning capability, something traditional penetration testing or annual audits cannot offer.

“Our mission is to help safeguard the UK’s critical infrastructure,” said the Meterian leadership team. “We recognise the pressure that councils and public bodies are facing. By making our scanning tool accessible, we aim to give the public sector the visibility and resilience needed to prevent the next attack rather than simply respond to it.”Public sector organisations interested in assessing their current risk exposure can register for a free 30-minute discovery call, during which Meterian’s specialists will guide them through the threat landscape and provide access to the scanning platform.

About Meterian
Meterian is a leading application security provider specialising in automated detection, remediation, and continuous monitoring of vulnerabilities within software supply chains. Trusted by organisations across finance, technology, and critical infrastructure sectors, Meterian delivers real-time insight and protection to help businesses stay ahead of emerging threats.

PRESS RELEASE Meterian Issues Public Warning to UK Public Sector Following Recent Cyber Attacks on London Councils

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

bbossola, , Leave a comment
6–9 minutes
Shai-Hulud 2.0: What executives need to know about the new npm supply-chain worm (Nov 24, 2025)

On November 24, 2025, a second wave of the “Shai-Hulud” npm supply-chain attack began spreading through the JavaScript ecosystem. Attackers compromised maintainer accounts, published trojanized versions of legitimate packages, and used them as a worm to steal credentials and propagate into more projects and organizations.

What happened (in plain terms)

  • Trusted packages were silently replaced with malicious updates. When developers or CI systems installed these versions, the malware ran automatically during install.
  • The malware steals secrets at scale. The payload hunts for npm/GitHub tokens and cloud credentials, then exfiltrates them to attacker-controlled repos.
  • This wave is more capable than September’s. Researchers observed improved execution (including the Bun runtime) and broader credential targeting, making infection faster and harder to spot.
  • High-profile vendors were hit. Packages tied to Zapier, ENS Domains, Postman, PostHog, AsyncAPI and others were compromised, showing the attackers can reach well-run projects—not just obscure libs.

Why this matters to your business

This is not a “developer problem.” It is a direct enterprise risk:

  1. Credential theft = account takeover. If a compromised package was installed in your environment, assume tokens and keys on that machine (or CI runner) may be stolen. That can lead to cloud breaches, source-code theft, or ransomware-style follow-on attacks.
  2. Supply chain blast radius is huge. npm packages are deeply nested in modern apps. One infected dependency can taint many internal services before anyone notices. The campaign has already spread into tens of thousands of GitHub repos.
  3. Regulatory and reputational exposure. If attacker access leads to customer data loss or service disruption, you face incident-response costs, disclosure obligations, and trust damage.

Immediate actions (next 24–72 hours) for your engineering team

If your engineering team uses Node.js / npm anywhere:

  1. Identify exposure.
    • Compare your dependency lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to the known malicious package/version list from current advisories
    • Search CI logs and build images for installs of those versions around Nov 24, 2025 onward.
    • If you are using Meterian, your teams will be notified tomorrow of any outstanding issue in your projects, while you can also manually trigger a rescan
  2. Treat potentially affected environments as compromised.
    • Rotate all secrets that could have been accessible to developer machines or CI runners: npm tokens, GitHub tokens, cloud keys, DB creds, SaaS API keys.
    • Re-issue creds from a clean machine.
  3. Hunt for persistence.
    • Check for unexpected GitHub Actions / CI workflows, new secrets, or unfamiliar deploy keys. Earlier Shai-Hulud waves used CI backdoors to keep access.
  4. Block known bad versions now.
    • Add deny-lists in artifact proxies (e.g., npm registry mirrors) and internal policy gates.
    • Pin safe versions until the incident stabilizes.

Medium-term fixes (next few weeks) for your engineering team

  • Eliminate long-lived registry tokens. The attack leveraged stolen or weakly protected maintainer/CI tokens; reducing token lifetime and scope cuts worm propagation.
  • Harden CI/CD. Run builds in isolated runners with minimal secrets; require approvals for workflow changes.
  • Adopt dependency trust controls.
    • Prefer verified publishing / signed releases where available.
    • Add automated checks for sudden owner changes, new install scripts, or unusual publish patterns.

The take-home

Shai-Hulud 2.0 is a credential-stealing worm riding on the npm ecosystem. It spreads through normal installs, targets high-value developer and cloud secrets, and has already hit mainstream packages. The right executive posture is: assume compromise if exposed, rotate secrets fast, and tighten the software supply chain permanently. After last September’s incident, we predicted this would rear its ugly head again. Watch a brief update and warning shared earlier this week at one of our meetings.

Meterian CTO Bruno Bossola shares the growing blast radius and all consumers of NPM must stop it

This is a story under development!

Please keep an eye on this blog page, in the meantime here’s the list of affected packages and versions so far:

Package Malicious version(s)
Package name Affected versions
@accordproject/concerto-analysis 3.24.1
@accordproject/concerto-linter 3.24.1
@accordproject/concerto-linter-default-ruleset 3.24.1
@accordproject/concerto-metamodel 3.12.5
@accordproject/concerto-types 3.24.1
@accordproject/markdown-it-cicero 0.16.26
@accordproject/template-engine 2.7.2
@actbase/css-to-react-native-transform 1.0.3
@actbase/native 0.1.32
@actbase/node-server 1.1.19
@actbase/react-absolute 0.8.3
@actbase/react-daum-postcode 1.0.5
@actbase/react-kakaosdk 0.9.27
@actbase/react-native-actionsheet 1.0.3
@actbase/react-native-devtools 0.1.3
@actbase/react-native-fast-image 8.5.13
@actbase/react-native-kakao-channel 1.0.2
@actbase/react-native-kakao-navi 2.0.4
@actbase/react-native-less-transformer 1.0.6
@actbase/react-native-naver-login 1.0.1
@actbase/react-native-simple-video 1.0.13
@actbase/react-native-tiktok 1.1.3
@afetcan/api 0.0.13
@afetcan/storage 0.0.27
@alexadark/amadeus-api 1.0.4
@alexadark/gatsby-theme-events 1.0.1
@alexadark/gatsby-theme-wordpress-blog 2.0.1
@alexadark/reusable-functions 1.5.1
@alexcolls/nuxt-socket.io 0.0.7|0.0.8
@alexcolls/nuxt-ux 0.6.1|0.6.2
@alexcolls/nuxt-ux 0.6.2|0.6.1
@antstackio/eslint-config-antstack 0.0.3
@antstackio/express-graphql-proxy 0.2.8
@antstackio/graphql-body-parser 0.1.1
@antstackio/json-to-graphql 1.0.3
@antstackio/shelbysam 1.1.7
@aryanhussain/my-angular-lib 0.0.23
@asyncapi/dotnet-rabbitmq-template 1.0.2|1.0.1
@asyncapi/edavisualiser 1.2.2|1.2.1
@asyncapi/go-watermill-template 0.2.76|0.2.77
@asyncapi/java-template 0.3.6|0.3.5
@asyncapi/keeper 0.0.3|0.0.2
@asyncapi/php-template 0.1.2|0.1.1
@asyncapi/python-paho-template 0.2.15|0.2.14
@asyncapi/server-api 0.16.25|0.16.24
@asyncapi/studio 1.0.3|1.0.2
@asyncapi/web-component 2.6.7|2.6.6
@bdkinc/knex-ibmi 0.5.7
@browserbasehq/bb9 1.2.21
@browserbasehq/director-ai 1.0.3
@browserbasehq/mcp 2.1.1
@browserbasehq/mcp-server-browserbase 2.4.2
@browserbasehq/sdk-functions 0.0.4
@browserbasehq/stagehand 3.0.4
@browserbasehq/stagehand-docs 1.0.1
@caretive/caret-cli 0.0.2
@chtijs/eslint-config 1.0.1
@clausehq/flows-step-httprequest 0.1.14
@clausehq/flows-step-jsontoxml 0.1.14
@clausehq/flows-step-mqtt 0.1.14
@clausehq/flows-step-sendgridemail 0.1.14
@clausehq/flows-step-taskscreateurl 0.1.14
@cllbk/ghl 1.3.1
@commute/bloom 1.0.3
@commute/market-data 1.0.2
@commute/market-data-chartjs 2.3.1
@dev-blinq/ai-qa-logic 1.0.19
@dev-blinq/cucumber_client 1.0.738
@dev-blinq/cucumber-js 1.0.131
@dev-blinq/ui-systems 1.0.93
@ensdomains/address-encoder 1.1.5
@ensdomains/blacklist 1.0.1
@ensdomains/buffer 0.1.2
@ensdomains/ccip-read-cf-worker 0.0.4
@ensdomains/ccip-read-dns-gateway 0.1.1
@ensdomains/ccip-read-router 0.0.7
@ensdomains/ccip-read-worker-viem 0.0.4
@ensdomains/content-hash 3.0.1
@ensdomains/curvearithmetics 1.0.1
@ensdomains/cypress-metamask 1.2.1
@ensdomains/dnsprovejs 0.5.3
@ensdomains/dnssec-oracle-anchors 0.0.2
@ensdomains/dnssecoraclejs 0.2.9
@ensdomains/durin 0.1.2
@ensdomains/durin-middleware 0.0.2
@ensdomains/ens-archived-contracts 0.0.3
@ensdomains/ens-avatar 1.0.4
@ensdomains/ens-contracts 1.6.1
@ensdomains/ens-test-env 1.0.2
@ensdomains/ens-validation 0.1.1
@ensdomains/ensjs 4.0.3
@ensdomains/ensjs-react 0.0.5
@ensdomains/eth-ens-namehash 2.0.16
@ensdomains/hackathon-registrar 1.0.5
@ensdomains/hardhat-chai-matchers-viem 0.1.15
@ensdomains/hardhat-toolbox-viem-extended 0.0.6
@ensdomains/mock 2.1.52
@ensdomains/name-wrapper 1.0.1
@ensdomains/offchain-resolver-contracts 0.2.2
@ensdomains/op-resolver-contracts 0.0.2
@ensdomains/react-ens-address 0.0.32
@ensdomains/renewal 0.0.13
@ensdomains/renewal-widget 0.1.10
@ensdomains/reverse-records 1.0.1
@ensdomains/server-analytics 0.0.2
@ensdomains/solsha1 0.0.4
@ensdomains/subdomain-registrar 0.2.4
@ensdomains/test-utils 1.3.1
@ensdomains/thorin 0.6.51
@ensdomains/ui 3.4.6
@ensdomains/unicode-confusables 0.1.1
@ensdomains/unruggable-gateways 0.0.3
@ensdomains/vite-plugin-i18next-loader 4.0.4
@ensdomains/web3modal 1.10.2
@everreal/react-charts 2.0.2
@everreal/react-charts 2.0.1|2.0.2
@everreal/validate-esmoduleinterop-imports 1.4.5
@everreal/validate-esmoduleinterop-imports 1.4.4|1.4.5
@everreal/web-analytics 0.0.2
@everreal/web-analytics 0.0.1|0.0.2
@faq-component/core 0.0.4
@faq-component/react 1.0.1
@fishingbooker/browser-sync-plugin 1.0.5
@fishingbooker/react-loader 1.0.7
@fishingbooker/react-pagination 2.0.6
@fishingbooker/react-raty 2.0.1
@fishingbooker/react-swiper 0.1.5
@hapheus/n8n-nodes-pgp 1.5.1
@hover-design/core 0.0.1
@hover-design/react 0.2.1
@huntersofbook/auth-vue 0.4.2
@huntersofbook/core 0.5.1
@huntersofbook/core-nuxt 0.4.2
@huntersofbook/form-naiveui 0.5.1
@huntersofbook/i18n 0.8.2
@huntersofbook/ui 0.5.1
@hyperlook/telemetry-sdk 1.0.19
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2|0.1.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
@ifings/design-system 4.9.2
@ifings/metatron3 0.1.5
@jayeshsadhwani/telemetry-sdk 1.0.14
@kvytech/cli 0.0.7
@kvytech/components 0.0.2
@kvytech/habbit-e2e-test 0.0.2
@kvytech/medusa-plugin-announcement 0.0.8
@kvytech/medusa-plugin-management 0.0.5
@kvytech/medusa-plugin-newsletter 0.0.5
@kvytech/medusa-plugin-product-reviews 0.0.9
@kvytech/medusa-plugin-promotion 0.0.2
@kvytech/web 0.0.2
@lessondesk/api-client 9.12.2|9.12.3
@lessondesk/api-client 9.12.3|9.12.2
@lessondesk/babel-preset 1.0.1
@lessondesk/electron-group-api-client 1.0.3
@lessondesk/eslint-config 1.4.2
@lessondesk/material-icons 1.0.3
@lessondesk/react-table-context 2.0.4
@lessondesk/schoolbus 5.2.2|5.2.3
@livecms/live-edit 0.0.32
@livecms/nuxt-live-edit 1.9.2
@louisle2/core 1.0.1
@louisle2/cortex-js 0.1.6
@lpdjs/firestore-repo-service 1.0.1
@lui-ui/lui-nuxt 0.1.1
@lui-ui/lui-tailwindcss 0.1.2
@lui-ui/lui-vue 1.0.13
@markvivanco/app-version-checker 1.0.2|1.0.1
@ntnx/passport-wso2 0.0.3
@ntnx/t 0.0.101
@oku-ui/accordion 0.6.2
@oku-ui/alert-dialog 0.6.2
@oku-ui/arrow 0.6.2
@oku-ui/aspect-ratio 0.6.2
@oku-ui/avatar 0.6.2
@oku-ui/checkbox 0.6.3
@oku-ui/collapsible 0.6.2
@oku-ui/collection 0.6.2
@oku-ui/dialog 0.6.2
@oku-ui/direction 0.6.2
@oku-ui/dismissable-layer 0.6.2
@oku-ui/focus-guards 0.6.2
@oku-ui/focus-scope 0.6.2
@oku-ui/hover-card 0.6.2
@oku-ui/label 0.6.2
@oku-ui/menu 0.6.2
@oku-ui/motion 0.4.4
@oku-ui/motion-nuxt 0.2.2
@oku-ui/popover 0.6.2
@oku-ui/popper 0.6.2
@oku-ui/portal 0.6.2
@oku-ui/presence 0.6.2
@oku-ui/primitive 0.6.2
@oku-ui/primitives 0.7.9
@oku-ui/primitives-nuxt 0.3.1
@oku-ui/progress 0.6.2
@oku-ui/provide 0.6.2
@oku-ui/radio-group 0.6.2
@oku-ui/roving-focus 0.6.2
@oku-ui/scroll-area 0.6.2
@oku-ui/separator 0.6.2
@oku-ui/slider 0.6.2
@oku-ui/slot 0.6.2
@oku-ui/switch 0.6.2
@oku-ui/tabs 0.6.2
@oku-ui/toast 0.6.2
@oku-ui/toggle 0.6.2
@oku-ui/toggle-group 0.6.2
@oku-ui/toolbar 0.6.2
@oku-ui/tooltip 0.6.2
@oku-ui/use-composable 0.6.2
@oku-ui/utils 0.6.2
@oku-ui/visually-hidden 0.6.2
@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode 2.0.5
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode 1.1.1
@orbitgtbelgium/orbit-components 1.2.9
@orbitgtbelgium/time-slider 1.0.187
@osmanekrem/bmad 1.0.6
@osmanekrem/error-handler 1.2.2
@pergel/cli 0.11.1
@pergel/module-box 0.6.1
@pergel/module-graphql 0.6.1
@pergel/module-ui 0.0.9
@pergel/nuxt 0.25.5
@posthog/agent 1.24.1
@posthog/ai 7.1.2
@posthog/cli 0.5.15
@posthog/clickhouse 1.7.1
@posthog/core 1.5.6
@posthog/hedgehog-mode 0.0.42
@posthog/icons 0.36.1
@posthog/lemon-ui 0.0.1
@posthog/nextjs-config 1.5.1
@posthog/nuxt 1.2.9
@posthog/piscina 3.2.1
@posthog/plugin-contrib 0.0.6
@posthog/react-rrweb-player 1.1.4
@posthog/rrdom 0.0.31
@posthog/rrweb 0.0.31
@posthog/rrweb-player 0.0.31
@posthog/rrweb-record 0.0.31
@posthog/rrweb-replay 0.0.19
@posthog/rrweb-snapshot 0.0.31
@posthog/rrweb-utils 0.0.31
@posthog/siphash 1.1.2
@posthog/wizard 1.18.1
@postman/aether-icons 2.23.4|2.23.3|2.23.2
@postman/csv-parse 4.0.5|4.0.3|4.0.4
@postman/node-keytar 7.9.6|7.9.4|7.9.5
@postman/tunnel-agent 0.6.7|0.6.6|0.6.5
@pradhumngautam/common-app 1.0.2
@productdevbook/animejs-vue 0.2.1
@productdevbook/auth 0.2.2
@productdevbook/chatwoot 2.0.1
@productdevbook/motion 1.0.4
@productdevbook/ts-i18n 1.4.2
@pruthvi21/use-debounce 1.0.3
@quick-start-soft/quick-document-translator 1.4.2511142126
@quick-start-soft/quick-git-clean-markdown 1.4.2511142126
@quick-start-soft/quick-markdown 1.4.2511142126
@quick-start-soft/quick-markdown-compose 1.4.2506300029
@quick-start-soft/quick-markdown-image 1.4.2511142126
@quick-start-soft/quick-markdown-print 1.4.2511142126
@quick-start-soft/quick-markdown-translator 1.4.2509202331
@quick-start-soft/quick-remove-image-background 1.4.2511142126
@quick-start-soft/quick-task-refine 1.4.2511142126
@relyt/claude-context-core 0.1.1
@sameepsi/sor 1.0.3
@sameepsi/sor2 2.0.2
@seezo/sdr-mcp-server 0.0.5
@seung-ju/next 0.0.2
@seung-ju/openapi-generator 0.0.4
@seung-ju/react-hooks 0.0.2
@seung-ju/react-native-action-sheet 0.2.1
@silgi/better-auth 0.8.1
@silgi/drizzle 0.8.4
@silgi/ecosystem 0.7.6
@silgi/graphql 0.7.15
@silgi/module-builder 0.8.8
@silgi/openapi 0.7.4
@silgi/permission 0.6.8
@silgi/ratelimit 0.2.1
@silgi/scalar 0.6.2
@silgi/yoga 0.7.1
@sme-ui/aoma-vevasound-metadata-lib 0.1.3
@strapbuild/react-native-date-time-picker 2.0.4
@strapbuild/react-native-perspective-image-cropper 0.4.15
@strapbuild/react-native-perspective-image-cropper-2 0.4.7
@strapbuild/react-native-perspective-image-cropper-poojan31 0.4.6
@suraj_h/medium-common 1.0.5
@thedelta/eslint-config 1.0.2
@tiaanduplessis/json 2.0.2|2.0.3
@tiaanduplessis/json 2.0.3|2.0.2
@tiaanduplessis/react-progressbar 1.0.1|1.0.2
@tiaanduplessis/react-progressbar 1.0.2|1.0.1
@trackstar/angular-trackstar-link 1.0.2
@trackstar/react-trackstar-link 2.0.21
@trackstar/react-trackstar-link-upgrade 1.1.10
@trackstar/test-angular-package 0.0.9
@trackstar/test-package 1.1.5
@trefox/sleekshop-js 0.1.6
@trigo/atrix 7.0.1
@trigo/atrix-elasticsearch 2.0.1
@trigo/atrix-postgres 1.0.3
@trigo/atrix-pubsub 4.0.3
@trigo/atrix-soap 1.0.2
@trigo/atrix-swagger 3.0.1
@trigo/bool-expressions 4.1.3
@trigo/eslint-config-trigo 3.3.1
@trigo/fsm 3.4.2
@trigo/hapi-auth-signedlink 1.3.1
@trigo/pathfinder-ui-css 0.1.1
@trigo/trigo-hapijs 5.0.1
@trpc-rate-limiter/cloudflare 0.1.4
@trpc-rate-limiter/hono 0.1.4
@varsityvibe/api-client 1.3.36|1.3.37
@varsityvibe/utils 5.0.6
@varsityvibe/validation-schemas 0.6.7|0.6.8
@viapip/eslint-config 0.2.4
@vishadtyagi/full-year-calendar 0.1.11
@voiceflow/alexa-types 2.15.61
@voiceflow/alexa-types 2.15.60|2.15.61
@voiceflow/anthropic 0.4.4|0.4.5
@voiceflow/api-sdk 3.28.59
@voiceflow/api-sdk 3.28.58|3.28.59
@voiceflow/backend-utils 5.0.1|5.0.2
@voiceflow/backend-utils 5.0.2|5.0.1
@voiceflow/base-types 2.136.2|2.136.3
@voiceflow/base-types 2.136.3|2.136.2
@voiceflow/body-parser 1.21.2|1.21.3
@voiceflow/chat-types 2.14.58|2.14.59
@voiceflow/chat-types 2.14.59|2.14.58
@voiceflow/circleci-config-sdk-orb-import 0.2.1|0.2.2
@voiceflow/commitlint-config 2.6.1
@voiceflow/commitlint-config 2.6.2|2.6.1
@voiceflow/common 8.9.1|8.9.2
@voiceflow/default-prompt-wrappers 1.7.3|1.7.4
@voiceflow/default-prompt-wrappers 1.7.4|1.7.3
@voiceflow/dependency-cruiser-config 1.8.11|1.8.12
@voiceflow/dependency-cruiser-config 1.8.12|1.8.11
@voiceflow/dtos-interact 1.40.1|1.40.2
@voiceflow/dtos-interact 1.40.2|1.40.1
@voiceflow/encryption 0.3.2|0.3.3
@voiceflow/encryption 0.3.3|0.3.2
@voiceflow/eslint-config 7.16.4|7.16.5
@voiceflow/eslint-plugin 1.6.1|1.6.2
@voiceflow/eslint-plugin 1.6.2|1.6.1
@voiceflow/exception 1.10.1|1.10.2
@voiceflow/exception 1.10.2|1.10.1
@voiceflow/fetch 1.11.1|1.11.2
@voiceflow/general-types 3.2.22|3.2.23
@voiceflow/general-types 3.2.23|3.2.22
@voiceflow/git-branch-check 1.4.3
@voiceflow/git-branch-check 1.4.4|1.4.3
@voiceflow/google-dfes-types 2.17.12|2.17.13
@voiceflow/google-types 2.21.13
@voiceflow/google-types 2.21.12|2.21.13
@voiceflow/husky-config 1.3.1
@voiceflow/husky-config 1.3.1|1.3.2
@voiceflow/logger 2.4.2|2.4.3
@voiceflow/logger 2.4.3|2.4.2
@voiceflow/metrics 1.5.1|1.5.2
@voiceflow/metrics 1.5.2|1.5.1
@voiceflow/natural-language-commander 0.5.2|0.5.3
@voiceflow/nestjs-common 2.75.2|2.75.3
@voiceflow/nestjs-mongodb 1.3.1|1.3.2
@voiceflow/nestjs-rate-limit 1.3.2|1.3.3
@voiceflow/nestjs-rate-limit 1.3.3|1.3.2
@voiceflow/nestjs-redis 1.3.1|1.3.2
@voiceflow/nestjs-timeout 1.3.1
@voiceflow/nestjs-timeout 1.3.1|1.3.2
@voiceflow/npm-package-json-lint-config 1.1.1
@voiceflow/npm-package-json-lint-config 1.1.1|1.1.2
@voiceflow/openai 3.2.2|3.2.3
@voiceflow/pino 6.11.3|6.11.4
@voiceflow/pino 6.11.4|6.11.3
@voiceflow/pino-pretty 4.4.1|4.4.2
@voiceflow/pino-pretty 4.4.2|4.4.1
@voiceflow/prettier-config 1.10.1
@voiceflow/prettier-config 1.10.2|1.10.1
@voiceflow/react-chat 1.65.4
@voiceflow/react-chat 1.65.4|1.65.3
@voiceflow/runtime 1.29.1|1.29.2
@voiceflow/runtime-client-js 1.17.2|1.17.3
@voiceflow/runtime-client-js 1.17.3|1.17.2
@voiceflow/sdk-runtime 1.43.1|1.43.2
@voiceflow/sdk-runtime 1.43.2|1.43.1
@voiceflow/secrets-provider 1.9.2
@voiceflow/secrets-provider 1.9.3|1.9.2
@voiceflow/semantic-release-config 1.4.1
@voiceflow/semantic-release-config 1.4.2|1.4.1
@voiceflow/serverless-plugin-typescript 2.1.7|2.1.8
@voiceflow/slate-serializer 1.7.3|1.7.4
@voiceflow/slate-serializer 1.7.4|1.7.3
@voiceflow/stitches-react 2.3.2|2.3.3
@voiceflow/stitches-react 2.3.3|2.3.2
@voiceflow/storybook-config 1.2.2|1.2.3
@voiceflow/stylelint-config 1.1.1
@voiceflow/stylelint-config 1.1.1|1.1.2
@voiceflow/test-common 2.1.1|2.1.2
@voiceflow/tsconfig 1.12.1
@voiceflow/tsconfig 1.12.2|1.12.1
@voiceflow/tsconfig-paths 1.1.4|1.1.5
@voiceflow/tsconfig-paths 1.1.5|1.1.4
@voiceflow/utils-designer 1.74.20
@voiceflow/utils-designer 1.74.19|1.74.20
@voiceflow/verror 1.1.4
@voiceflow/verror 1.1.5|1.1.4
@voiceflow/vite-config 2.6.2|2.6.3
@voiceflow/vitest-config 1.10.2|1.10.3
@voiceflow/vitest-config 1.10.3|1.10.2
@voiceflow/voice-types 2.10.58|2.10.59
@voiceflow/voice-types 2.10.59|2.10.58
@voiceflow/voiceflow-types 3.32.45|3.32.46
@voiceflow/widget 1.7.18|1.7.19
@vucod/email 0.0.3
@zapier/ai-actions 0.1.20|0.1.19|0.1.18
@zapier/babel-preset-zapier 6.4.2|6.4.1|6.4.3
@zapier/browserslist-config-zapier 1.0.4|1.0.3|1.0.5
@zapier/secret-scrubber 1.1.5|1.1.4|1.1.3
02-echo 0.0.7
ai-crowl-shield 1.0.7
arc-cli-fc 1.0.1
asciitranslator 1.0.3
asyncapi-preview 1.0.2|1.0.1
atrix 1.0.1
automation_model 1.0.491
avvvatars-vue 1.1.2
axios-builder 1.2.1
axios-cancelable 1.0.1|1.0.2
axios-cancelable 1.0.2|1.0.1
axios-timed 1.0.1|1.0.2
axios-timed 1.0.2|1.0.1
barebones-css 1.1.3|1.1.4
barebones-css 1.1.4|1.1.3
benmostyn-frame-print 1.0.1
best_gpio_controller 1.0.10
bestgpiocontroller 1.0.10
better-auth-nuxt 0.0.10
bidirectional-adapter 1.2.2|1.2.3|1.2.4
bidirectional-adapter 1.2.2|1.2.4|1.2.5|1.2.3
blinqio-executions-cli 1.0.41
blob-to-base64 1.0.3
buffered-interpolation-babylon6 0.2.8
bun-plugin-httpfile 0.1.1
bytecode-checker-cli 1.0.11|1.0.8|1.0.9|1.0.10
bytes-to-x 1.0.1
calc-loan-interest 1.0.4
capacitor-plugin-apptrackingios 0.0.21
capacitor-plugin-purchase 0.1.1
capacitor-plugin-scgssigninwithgoogle 0.0.5
capacitor-purchase-history 0.0.10
capacitor-voice-recorder-wav 6.0.3
ceviz 0.0.5
chrome-extension-downloads 0.0.3|0.0.4
claude-token-updater 1.0.3
coinmarketcap-api 3.1.2|3.1.3
coinmarketcap-api 3.1.3|3.1.2
colors-regex 2.0.1
command-irail 0.5.4
compare-obj 1.1.1|1.1.2
composite-reducer 1.0.2|1.0.3|1.0.4|1.0.5
composite-reducer 1.0.4|1.0.3|1.0.2|1.0.5
count-it-down 1.0.1|1.0.2
count-it-down 1.0.2|1.0.1
cpu-instructions 0.0.14
create-director-app 0.1.1
create-glee-app 0.2.3|0.2.2
create-hardhat3-app 1.1.4|1.1.3|1.1.1|1.1.2
create-silgi 0.3.1
crypto-addr-codec 0.1.9
css-dedoupe 0.1.2
csv-tool-cli 1.2.1
dashboard-empty-state 1.0.3
designstudiouiux 1.0.1
devstart-cli 1.0.6
dialogflow-es 1.1.4|1.1.3|1.1.1|1.1.2
discord-bot-server 0.1.2
docusaurus-plugin-vanilla-extract 1.0.3
dont-go 1.1.2
dotnet-template 0.0.3|0.0.4
drop-events-on-property-plugin 0.0.2
easypanel-sdk 0.3.2
email-deliverability-tester 1.1.1
enforce-branch-name 1.1.3
esbuild-plugin-brotli 0.2.1
esbuild-plugin-eta 0.1.1
esbuild-plugin-httpfile 0.4.1
eslint-config-nitpicky 4.0.1
eslint-config-trigo 22.0.2
eslint-config-zeallat-base 1.0.4
ethereum-ens 0.8.1
evm-checkcode-cli 1.0.15|1.0.12|1.0.13|1.0.14
exact-ticker 0.3.5
expo-audio-session 0.2.1
expo-router-on-rails 0.0.4
express-starter-template 1.0.10
expressos 1.1.3
fat-fingered 1.0.1|1.0.2
fat-fingered 1.0.2|1.0.1
feature-flip 1.0.1|1.0.2
feature-flip 1.0.2|1.0.1
firestore-search-engine 1.2.3
fittxt 1.0.2|1.0.3
fittxt 1.0.3|1.0.2
flapstacks 1.0.1|1.0.2
flapstacks 1.0.2|1.0.1
flatten-unflatten 1.0.1|1.0.2
flatten-unflatten 1.0.2|1.0.1
formik-error-focus 2.0.1
formik-store 1.0.1
frontity-starter-theme 1.0.1
fuzzy-finder 1.0.5|1.0.6
gate-evm-check-code2 2.0.3|2.0.4|2.0.5|2.0.6
gate-evm-tools-test 1.0.7|1.0.8|1.0.5|1.0.6
gatsby-plugin-antd 2.2.1
gatsby-plugin-cname 1.0.1|1.0.2
gatsby-plugin-cname 1.0.2|1.0.1
generator-meteor-stock 0.1.6
generator-ng-itobuz 0.0.15
get-them-args 1.3.3
github-action-for-generator 2.1.28
github-action-for-generator 2.1.28|2.1.27
gitsafe 1.0.5
go-template 0.1.8|0.1.9
gulp-inject-envs 1.2.1|1.2.2
gulp-inject-envs 1.2.2|1.2.1
haufe-axera-api-client 0.0.2
haufe-axera-api-client 0.0.1|0.0.2
hope-mapboxdraw 0.1.1
hopedraw 1.0.3
hover-design-prototype 0.0.5
httpness 1.0.2|1.0.3
httpness 1.0.3|1.0.2
hyper-fullfacing 1.0.3
hyperterm-hipster 1.0.7
ids-css 1.5.1
ids-enterprise-mcp-server 0.0.2
ids-enterprise-ng 20.1.6
ids-enterprise-typings 20.1.6
image-to-uri 1.0.1|1.0.2
image-to-uri 1.0.2|1.0.1
insomnia-plugin-random-pick 1.0.4
invo 0.2.2
iron-shield-miniapp 0.0.2
ito-button 8.0.3
itobuz-angular 0.0.1
itobuz-angular-auth 8.0.11
itobuz-angular-button 8.0.11
jacob-zuma 1.0.1|1.0.2
jacob-zuma 1.0.2|1.0.1
jaetut-varit-test 1.0.2
jan-browser 0.13.1
jquery-bindings 1.1.2|1.1.3
jquery-bindings 1.1.3|1.1.2
jsonsurge 1.0.7
just-toasty 1.7.1
kill-port 2.0.2|2.0.3
kill-port 2.0.3|2.0.2
kinetix-default-token-list 1.0.5
kns-error-code 1.0.8
korea-administrative-area-geo-json-util 1.0.7
kwami 1.5.9|1.5.10
lang-codes 1.0.1|1.0.2
lang-codes 1.0.2|1.0.1
license-o-matic 1.2.1|1.2.2
license-o-matic 1.2.2|1.2.1
lint-staged-imagemin 1.3.1|1.3.2
lite-serper-mcp-server 0.2.2
lui-vue-test 0.70.9
luno-api 1.2.3
m25-transaction-utils 1.1.16
manual-billing-system-miniapp-api 1.3.1
medusa-plugin-announcement 0.0.3
medusa-plugin-logs 0.0.17
medusa-plugin-momo 0.0.68
medusa-plugin-product-reviews-kvy 0.0.4
medusa-plugin-zalopay 0.0.40
mod10-check-digit 1.0.1
mon-package-react-typescript 1.0.1
my-saeed-lib 0.1.1
n8n-nodes-tmdb 0.5.1
n8n-nodes-vercel-ai-sdk 0.1.7
n8n-nodes-viral-app 0.2.5
nanoreset 7.0.1|7.0.2
nanoreset 7.0.2|7.0.1
next-circular-dependency 1.0.2|1.0.3
next-circular-dependency 1.0.3|1.0.2
next-simple-google-analytics 1.1.1|1.1.2
next-styled-nprogress 1.0.4|1.0.5
ngx-useful-swiper-prosenjit 9.0.2
ngx-wooapi 12.0.1
nitro-graphql 1.5.12
nitro-kutu 0.1.1
nitrodeploy 1.0.8
nitroping 0.1.1
normal-store 1.3.1|1.3.2|1.3.3
normal-store 1.3.1|1.3.4|1.3.3|1.3.2
nuxt-keycloak 0.2.2
obj-to-css 1.0.2|1.0.3
obj-to-css 1.0.3|1.0.2
okta-react-router-6 5.0.1
open2internet 0.1.1
orbit-boxicons 2.1.3
orbit-nebula-draw-tools 1.0.10
orbit-nebula-editor 1.0.2
orbit-soap 0.43.13
orchestrix 12.1.2
package-tester 1.0.1
parcel-plugin-asset-copier 1.1.2|1.1.3
parcel-plugin-asset-copier 1.1.3|1.1.2
pdf-annotation 0.0.2
pergel 0.13.2
pergeltest 0.0.25
piclite 1.0.1
pico-uid 1.0.3|1.0.4
pico-uid 1.0.4|1.0.3
pkg-readme 1.1.1
poper-react-sdk 0.1.2
posthog-docusaurus 2.0.6
posthog-js 1.297.3
posthog-node 4.18.1|5.13.3|5.11.3
posthog-plugin-hello-world 1.0.1
posthog-react-native 4.11.1|4.12.5
posthog-react-native-session-replay 1.2.2
prime-one-table 0.0.19
prompt-eng 1.0.50
puny-req 1.0.3
quickswap-ads-list 1.0.33
quickswap-default-staking-list 1.0.11
quickswap-default-staking-list-address 1.0.55
quickswap-router-sdk 1.0.1
quickswap-sdk 3.0.44
quickswap-smart-order-router 1.0.1
quickswap-token-lists 1.0.3
quickswap-v2-sdk 2.0.1
ra-auth-firebase 1.0.3
ra-data-firebase 1.0.8|1.0.7
react-component-taggers 0.1.9
react-data-to-export 1.0.1
react-element-prompt-inspector 0.1.18
react-favic 1.0.2
react-hook-form-persist 3.0.1|3.0.2
react-hook-form-persist 3.0.2|3.0.1
react-jam-icons 1.0.1|1.0.2
react-jam-icons 1.0.2|1.0.1
react-keycloak-context 1.0.8|1.0.9
react-library-setup 0.0.6
react-linear-loader 1.0.2
react-micromodal.js 1.0.1|1.0.2
react-micromodal.js 1.0.2|1.0.1
react-native-datepicker-modal 1.3.1|1.3.2
react-native-email 2.1.1|2.1.2
react-native-fetch 2.0.1|2.0.2
react-native-get-pixel-dimensions 1.0.1|1.0.2
react-native-get-pixel-dimensions 1.0.2|1.0.1
react-native-google-maps-directions 2.1.2
react-native-jam-icons 1.0.1|1.0.2
react-native-jam-icons 1.0.2|1.0.1
react-native-log-level 1.2.1|1.2.2
react-native-log-level 1.2.2|1.2.1
react-native-modest-checkbox 3.3.1
react-native-modest-storage 2.1.1
react-native-phone-call 1.2.1|1.2.2
react-native-phone-call 1.2.2|1.2.1
react-native-retriable-fetch 2.0.1|2.0.2
react-native-use-modal 1.0.3
react-native-view-finder 1.2.1|1.2.2
react-native-view-finder 1.2.2|1.2.1
react-native-websocket 1.0.3|1.0.4
react-native-websocket 1.0.4|1.0.3
react-native-worklet-functions 3.3.3
react-packery-component 1.0.3
react-qr-image 1.1.1
react-scrambled-text 1.0.4
rediff 1.0.5
rediff-viewer 0.0.7
redux-router-kit 1.2.2|1.2.4|1.2.3
revenuecat 1.0.1
rollup-plugin-httpfile 0.2.1
sa-company-registration-number-regex 1.0.1|1.0.2
sa-company-registration-number-regex 1.0.2|1.0.1
sa-id-gen 1.0.4|1.0.5
samesame 1.0.3
scgs-capacitor-subscribe 1.0.11
scgsffcreator 1.0.5
schob 1.0.3
set-nested-prop 2.0.1|2.0.2
shelf-jwt-sessions 0.1.2
shell-exec 1.1.3|1.1.4
shell-exec 1.1.4|1.1.3
shinhan-limit-scrap 1.0.3
silgi 0.43.30
simplejsonform 1.0.1
skills-use 0.1.2|0.1.1
solomon-api-stories 1.0.2
solomon-v3-stories 1.15.6
solomon-v3-ui-wrapper 1.6.1
soneium-acs 1.0.1
sort-by-distance 2.0.1
south-african-id-info 1.0.2
stat-fns 1.0.1
stoor 2.3.2
sufetch 0.4.1
super-commit 1.0.1
svelte-autocomplete-select 1.1.1
svelte-toasty 1.1.2|1.1.3
svelte-toasty 1.1.3|1.1.2
tanstack-shadcn-table 1.1.5
tavily-module 1.0.1
tcsp 2.0.2
tcsp-draw-test 1.0.5
tcsp-test-vd 2.4.4
template-lib 1.1.3|1.1.4
template-lib 1.1.4|1.1.3
template-micro-service 1.0.2|1.0.3
template-micro-service 1.0.3|1.0.2
tenacious-fetch 2.3.2|2.3.3
tenacious-fetch 2.3.3|2.3.2
test-foundry-app 1.0.4|1.0.3|1.0.2|1.0.1
test-hardhat-app 1.0.4|1.0.3|1.0.2|1.0.1
test23112222-api 1.0.1
tiaan 1.0.2
tiptap-shadcn-vue 0.2.1
token.js-fork 0.7.32
toonfetch 0.3.2
trigo-react-app 4.1.2
ts-relay-cursor-paging 2.1.1
typeface-antonio-complete 1.0.5
typefence 1.2.2|1.2.3
typeorm-orbit 0.2.27
unadapter 0.1.3
undefsafe-typed 1.0.4
undefsafe-typed 1.0.4|1.0.3
unemail 0.3.1
uniswap-router-sdk 1.6.2
uniswap-smart-order-router 3.16.26
uniswap-test-sdk-core 4.0.8
unsearch 0.0.3
uplandui 0.5.4
upload-to-play-store 1.0.1|1.0.2
upload-to-play-store 1.0.2|1.0.1
url-encode-decode 1.0.1|1.0.2
url-encode-decode 1.0.2|1.0.1
use-unsaved-changes 1.0.9
v-plausible 1.2.1
valid-south-african-id 1.0.3
valuedex-sdk 3.0.5
vf-oss-template 1.0.4|1.0.3|1.0.2|1.0.1
victoria-wallet-constants 0.1.1
victoria-wallet-core 0.1.1
victoria-wallet-type 0.1.1
victoria-wallet-utils 0.1.1
victoria-wallet-validator 0.1.1
victoriaxoaquyet-wallet-core 0.2.1
vite-plugin-httpfile 0.2.1
vue-browserupdate-nuxt 1.0.5
wallet-evm 0.3.1
wallet-type 0.1.1
web-scraper-mcp 1.1.4
web-types-htmx 0.1.1
web-types-lit 0.1.1
webpack-loader-httpfile 0.2.1
wellness-expert-ng-gallery 5.1.1
wenk 1.0.9|1.0.10
zapier-async-storage 1.0.3|1.0.2|1.0.1
zapier-platform-cli 18.0.4|18.0.3|18.0.2
zapier-platform-core 18.0.4|18.0.3|18.0.2
zapier-platform-schema 18.0.4|18.0.3|18.0.2
zapier-scripts 7.8.3|7.8.4
zuper-cli 1.0.1
zuper-sdk 1.0.57
zuper-stream 2.0.9

More information from the world

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

From Factory Floors to Software Stacks: Why OSS Risk Now Mirrors Physical Supply Chain Threats

viviandufourLeave a comment

Author: Rod Cobain • 5 min read

In the original piece, Mike Dwyer painted a vivid picture: Manufacturing Supply Chains Are No Longer Just Mechanical or Logistical Systems, they are deeply entwined digital ecosystems, where each ERP module, IoT-enabled actuator, and tier-2 supplier nodes can become an entry point for cyber threats. Logistics Matters Today, I want to push the conversation further: the open source software (OSS) layer now acts like a silent “sub-supplier” embedded within your tech stack, and like any hidden supply risk, it demands boardroom attention, not just the care of the development team. The risk of ignoring this is not just to your business but that of your customer and their suppliers.

Recasting Mike Dwyer: Resilience Is About More Than Hardware

The core message from Mike remains pivotal:

  • Cyber risk is business risk, it must be integrated across operations, procurement, R&D and logistics. How many times does this need to be repeated?
  • Legacy point solutions are no longer sufficient, resilience must be designed globally across tiers. This is a leadership situation.
  • Next-generation supply chains rely on intelligence, visibility, and agility,  but every “smart” layer you add is a new attack surface.

What often goes unsaid,  and is less visible to many manufacturers,  is how much of the “smarts” in these systems is built on open source software components. Every subsystem, from sensor drivers to data analytics modules,  often leverages OSS libraries. Thus, the same supply chain logic Mike describes must apply internally: your software dependencies are now your internal “suppliers.”

Meterian’s Warning: OSS Is Not Free from Risk. It’s a Source of Escalation Regardless of the business Size or Sector

Escalation Through the OSS Layer: A Multi-Tier Threat Model

Let’s examine how OSS risk can escalate, step by step, through any business sector:

  1. Developer/Subsystem Level
     A team integrates a third-party open source library (e.g. for analytics, messaging, or edge compute). Unknown to them, one of its transitive dependencies includes a known CVE.
     → That module becomes a foothold vulnerable to exploitation.
  2. Application/Subsystem Aggregation
     The vulnerable component is embedded in a subsystem (e.g. quality tracking, process control) that exposes APIs or networked endpoints. Attackers exploit the library flaw to gain code execution or escalate privileges.
     → What was a discreet bug becomes a path into a critical sub-system.
  3. Platform / Middleware / Integration Layer
     Multiple subsystems feed into central integration layers (e.g. MES, orchestration, data middleware). A malicious actor moved laterally from one compromised subsystem into the integration fabric.
     → The exploit travels across domains, bridging OT/IT boundaries.
  4. Control Systems / OT / Physical Assets
     From the integration layer, attackers may reach OT systems controlling PLCs, robotics, or sensors. Here lies real operational impact, production halts, manipulated outputs, or safety risks.
     → The breach translates into physical damage or downtime.
  5. Supply Chain / Partner Ecosystem
     If that platform is shared, or upstream/downstream partners rely on shared components, the exploit can spread further. A single OSS vulnerability could cascade throughout the partner network.
     → The domain of the breach finally becomes systemic, affecting multiple actors.

At each layer, the “supplier” is the embedded code you didn’t write, and if you haven’t been continuously verifying its integrity, the risk is already live.

Practical Steps: Embedding OSS Governance into Your Resilience Strategy

To fuse Mike Dwyer’s vision and Meterian’s warnings into actionable posture, here are recommendations:

FocusActions
Treat OSS like any other supplierMaintain an SBOM (software bill of materials) for all systems. Demand “security assurances” (e.g. scans, patches) from internal and third-party teams.
Integrate continuous SCA / vulnerability scanningEmbed tools like Meterian (or similar) into CI/CD pipelines such that builds with failing security scores are automatically flagged or blocked.
Prioritize remediation, not just detectionUse auto-remediation where possible, or triage by threat score, to avoid alert fatigue and ensure action. Meterian helps with guided upgrade paths.
Cross-functional awareness & trainingEmpower developers, ops, procurement, and leadership with visibility into OSS risk, and grant them the agency to act.
Threat modelling spanning software supply chainExtend your existing supply chain risk models to include internal “supplier layers” (OSS, SDKs) as nodes in your attack graphs.
Incident playbooks that assume internal code riskIn response planning, simulate OSS vulnerability scenarios, not just network intrusion, because in many modern attacks, the initial vector is a library exploit.

Final Thought: Resilience Demands Depth, Not Just Perimeter

Mike Dwyer’s assertion remains apt: supply chain security is business security. But the conversation must now extend inward: the OSS layer, once viewed as a cost-saver or innovation enabler, is a core battleground. Its risks escalate upward. A vulnerability at the bottom can ripple all the way to the executive level, halting production lines or worse.

It’s time to shift from reactive patching to anticipatory governance. Treat code like any other critical supplier, inspect it, test it, govern it, and don’t let your next downtime be the moment you realize the invisible layer was your greatest weakness. Are you aware that the UK Cyber Framework is in the spotlight and is seen as the standard to follow?

Stop ignoring the silent supplier. It’s time to manage your Open Source Risk in the modern supply chain and manufacturing tech stack. 

From Factory Floors to Software Stacks: Why OSS Risk Now Mirrors Physical Supply Chain Threats

Closing the Cyber Insurance Gap

viviandufourLeave a comment

Why Open-Source Scanning & Monitoring Are the Real Safety Net

3–4 minutes

Cyber insurance is the latest addition to the arsenal of tools in the fight against cyber-attacks, alongside Cyber Essentials and Pen Testing. Both in the business world and private life, we rely on insurance to cover day to day events  that disrupt our lives, but that safety net does not always meet expectations. The recent experiences of Jaguar Land Rover and the Co-op prove what many risk leaders already suspect: today’s cyber policies are riddled with exclusions and caveats that leave businesses exposed when it matters most.

In 2025 alone, we’ve seen:

Jaguar Land Rover (JLR) suffered a crippling cyberattack in September, shutting down production lines and disrupting suppliers worldwide.

  • Without a finalised cyber insurance policy, JLR is left absorbing the financial and operational fallout.
  • The Co-op, still reeling from its April cyber incident, disclose £206 million in lost revenue and an £80 million operating profit hit– much of which fell outside traditional insurance coverage.

Both stories highlight the same painful truth: insurance pays after the damage, if at all. Prevention pays every single time

A group of professionals seated around a conference table analyzing data on laptops and monitors, with red warning graphics displayed, emphasizing the message about cyber insurance and open-source monitoring.

The Fine Print of Cyber Insurance: What’s Not Covered

Insurers are increasingly cautious, excluding or limiting coverage in ways that reduce meaningful protection:

  • State-backed exclusions: Attacks deemed “nation-state” or “warlike” are carved out, leaving businesses to shoulder catastrophic losses.
  • Supply-chain blind spots: Most policies cover only direct IT damage, not the ripple effects when suppliers, logistics providers, or cloud vendors go dark.
  • Sublimits & carve-outs: Crisis PR, forensic costs, and even some business interruption claims often fall under restrictive sublimits.
  • Attribution battles: Proving causation can delay payouts for months, while revenue, reputation, and customer trust evaporate in days.

Why Open-Source Scanning & Monitoring Changes the Game

Insurance alone is not a resilience strategy. The real advantage comes from detecting, patching, and preventing threats before they escalate into claims. That’s where open-source scanning and monitoring deliver unparalleled value:

  • Transparency at scale: Unlike closed systems, open-source tools are frequently reviewed, tested, and enhanced by global communities, which means vulnerabilities have greater probability to be spotted and addressed by a larger community before they can be exploited.
  • Supply-chain visibility: Open-source monitoring illuminates risks across your ecosystem, from third-party code to vendor dependencies, directly addressing the blind spots excluded by insurance policies.
  • Cost-effective coverage: Deploying open-source scanning costs a fraction of insurance premiums, yet continuously reduces exposure, lowering both the frequency and severity of incidents.
  • Proactive compliance: Continuous monitoring demonstrates active governance, satisfying regulators, insurers, and boards while strengthening claims positions if an event does occur.
  • Actionable insights, not afterthoughts: Real-time alerts allow IT and security teams to act before attackers exploit weaknesses–something insurance simply can’t offer that.

Case Studies Reinforced: What JLR & Co-op Teach Us

  • Jaguar Land Rover’s disruption shows how missing insurance leaves organisations financially stranded. But even if cover had been in place, insurers likely would have contested or capped payouts under supply-chain or nation-state exclusions. Open-source monitoring could have identified weak points in advance, preventing stoppages before they cascaded through factories.
  • Illustrating the £206 million scale of business interruption, the Co-op’s loss shows that continuous monitoring would have been a better defense. Closing exploited vulnerabilities early would have shrunk the financial damage and allowed the company to bypass the time-consuming and ultimately low-yield fight over insurance claims.

Industry Recommendation: Build a Dual Shield

The modern cyber risk landscape demands a two-pronged defence.  This means having insurance to handle financial aftershocks, and moreover strategically deploying open-source scanning and monitoring to achieve real-time resilience by closing the specific exposure gaps that insurance explicitly leaves open.

In 2025, the winners won’t be those with the biggest insurance policy, but those who combine smart financial protection with relentless, transparent, and scalable monitoring.

Open-source scanning is far beyond a technical choice; it is a strategic investment. It empowers boards, reassures investors, and proves to regulators and customers that resilience is a measurable commitment, not just a buzzword.

Don’t just insure your cyber risk.  Shrink it–and maximise your operational stability.

Closing the Cyber Insurance Gap

Open Source Code in the Insurance Sector: Boom or Cybersecurity Time Bomb?

bbossola, , Leave a comment

Benefits, Risks, and Real-World Attacks Involving Open Source in the Insurance Industry

The insurance sector is undergoing a rapid digital transformation, integrating technologies like artificial intelligence, big data analytics, blockchain, and cloud computing to better serve customers, optimise operations, and reduce fraud. Central to this shift is the growing reliance on open source software (OSS), tools, libraries, and platforms freely available for development, adaptation, and integration. From talking to c-suite members within all of the key sectors, OSS is recognised as beneficial but also seen as the “elephant in the room” as the risks are known but lack of experience in dealing with this layer is allowing threat penetration to be successful

While OSS empowers insurers with flexibility, innovation, and cost efficiency, it also introduces serious cybersecurity risks. This article explores how open source is being used in insurance, outlining  the real-world consequences of cyber threats involving OSS, and assesses the risks of future attacks, especially as threats grow more sophisticated.

Why Insurers Use Open Source Software

Open source components are now integrated into nearly every stage of the software development lifecycle in the insurance industry. Key benefits include:

  • Cost savings: Avoiding high licensing fees of proprietary software.
  • Faster development: Leveraging pre-built libraries and frameworks.
  • Community support: Tapping into vast global expertise and frequent updates.
  • Flexibility: Extending existing open source code to meet business-specific requirements.

Examples include:

  • Apache Kafka and Airflow for real-time data processing.
  • TensorFlow for machine learning in fraud detection.
  • PostgreSQL and MongoDB for scalable data storage.
  • OpenJDK as a base for Java-based enterprise applications.

With open source software, legacy systems have been replaced.  Insurance software providers have gained ready-to-use features and deliver enterprise-grade and SaaS applications 50-60% faster, while avoiding vendor lock-in.  They are seizing the opportunity to be part of a sector-specific open source software community to learn, grow, and contribute, with potential to shape the future direction at a sector level.  Some of these ready-to-use features include policy, claim, and property management, as well as time tracking.  There are also templates available to  offer embedded insurance products seamlessly integrated into customer buying experiences.

The business-led software-driven transformation helps streamline processes, enhance risk assessment, and improve customer service.  We can all appreciate the availability of cloud-based solutions that’s increased the ease of purchasing standalone and embedded insurance products in our daily digital experiences.  Forgot to buy travel insurance when you booked your ski holiday?  Not to worry, because the ski rental agency that’s selling ski lift passes on their mobile web app also lets you buy insurance when you checkout.  Open source software is helping to drive innovation and specialized offers across sectors, benefitting sellers and resellers from greater access to customers wherever they are in their journey.

OSS Cybersecurity Risks of Open Source within the Insurance Sector

Open source code, while powerful, is not immune to vulnerabilities. Many packages are maintained by volunteers, and while updates and patches are released very quickly, it’s difficult for a company to keep the pace, because of lack of  awareness and processes to handle them. A single unpatched library can serve as a gateway to an entire corporate network,  and for insurance companies, this can expose sensitive personal, financial, and medical data.

Key risks include:

  • Direct cyber attacks Because of the lack of vulnerability scanning, simply by leveraging an existing vulnerability in one opensource component used on an internet facing system, a hacker could get access to all internal databases.
  • Supply chain attacks A piece of malicious code included in a widely used software library is then automatically incorporated into thousands of downstream applications that use the library, allowing the attackers to compromise a vast number of targets simultaneously.
  • License mismanagement and IP risks When using a non-business friendly licensed component, there’s a significant risk of being forced to publicly release your own intellectual property, leading to loss of competitive advantage and potential legal action.
  • Shadow IT and undocumented OSS use The unmonitored use of unapproved software, often by developers seeking speed and agility, creates significant security and compliance blind spots, as these tools operate outside of corporate governance and lack security patching or vulnerability tracking

Notable Cyber Attacks Involving Open Source

1. Log4Shell (CVE-2021-44228) – Apache Log4j

In late 2021, a critical remote code execution vulnerability was discovered in Log4j, a widely used Java logging library.

Impact on insurance: Many insurance firms used Java-based enterprise systems that included Log4j, making them vulnerable.

Exploitation: Threat actors could remotely execute arbitrary code on affected systems. APT groups including Charming Kitten (Iran) and APT41 (China) were linked to active exploitation.

2. SolarWinds Supply Chain Attack

Though not directly OSS-related, this 2020 attack brought attention to third-party code risks, including OSS components.

Relevance to insurers: Many insurers use SolarWinds or similar IT management tools, and the incident led to an industry-wide audit of third-party dependencies.

3. MOVEit Transfer Exploits (2023)

Cl0p ransomware gang exploited zero-day vulnerabilities in MOVEit file transfer software, affecting dozens of insurance, healthcare, and finance companies.

Relation to OSS: MOVEit, while proprietary, included OSS components and APIs, showing how OSS can be an indirect vector.

Victims: Included Genworth Financial, a major life and mortgage insurer.

Known Named Threat Actors Targeting the Sector

  • DarkSide / BlackCat: Ransomware-as-a-Service groups frequently use software vulnerabilities, including in OSS, for initial access.
  • FIN11 / Cl0p: A ransomware group known for targeting insurance and financial companies.
  • APT38 (North Korea): Known for financial theft operations, including targeting SWIFT and related financial systems.
  • Lazarus Group: Has targeted healthcare and insurance sectors, possibly for both espionage and financial gain.

Future Threat Landscape: What’s Ahead?

The future risk to insurers from open source-based attacks is growing due to:

  • AI-driven vulnerability discovery tools used by threat actors.
  • Complex OSS supply chains making traceability and patching harder.
  • Open source CI/CD toolchains being exploited (e.g., Jenkins, GitLab CI).

Emerging Concerns:

  • Malicious open source packages: Attackers upload poisoned libraries to repositories like npm or PyPI. Example: “ctx” and “phpass” malicious packages.
  • Dependency confusion attacks: Exploiting package naming inconsistencies in private/public repositories.
  • Insider threats: Poor OSS governance can lead to accidental introduction of vulnerable or backdoored code.

Mitigation Strategies for Insurers

  1. Adopt SBOMs (Software Bill of Materials) Maintain a comprehensive inventory of all open source components in use.
  2. Automated Vulnerability Scanning Use tools like Meterian, WhiteSource, or Dependabot to detect issues early.
  3. Continuous Monitoring & Patching Establish DevSecOps pipelines to enforce regular OSS updates.
  4. Zero Trust Architectures Prevent lateral movement even if a component is compromised.
  5. Training & Awareness Developers should be trained on secure OSS usage and license compliance.

Conclusion

The open source revolution has undeniably propelled innovation in the insurance industry. But this double-edged sword demands a proactive cybersecurity posture. From high-profile exploits like Log4Shell to the growing sophistication of supply chain attacks, it’s clear that OSS security is no longer optional, it’s critical.

Insurers must recognize open source as both an opportunity and a threat. Only through comprehensive risk management, visibility, and cultural change can they unlock its benefits while shielding themselves from cyber catastrophe.

If you’re in insurance, now’s the time to put OSS security on the boardroom agenda.

Get in touch here to see how we can help!

Open Source Code in the Insurance Sector: Boom or Cybersecurity Time Bomb?

Major supply chain attack on the NPM ecosystem

viviandufour, Leave a comment

by Bruno Bossola, initially published on LinkedIn on September 9, 2025. Republished here following second larger attack on November 24, 2025.

3–5 minutes
An illustration depicting various JavaScript code packages on a conveyor belt, with some showing green coding structures and others displaying red, corrupted code. Visible elements include digital threats such as skull icons and serpentine shapes representing malware, symbolizing a cybersecurity attack on software supply chains.

A number popular JavaScript code packages were compromised to spread malware, posing a significant threat to software supply chains. The malicious code, often obfuscated, was hidden within seemingly legitimate packages on the Node Package Manager (NPM) registry and executed during the installation process. This type of supply chain attack can lead to the theft of credentials, sensitive data, and even cryptocurrency.

How was the attack performed?

The attack on the debug and chalk packages was a sophisticated supply chain compromise that began with a phishing attack targeting the maintainer’s account. Attackers used a deceptive email, impersonating NPM support, to compromise the maintainer’s credentials. With access to the account, they published new versions of a number of popular JavaScript packages, including debug and chalk, with malicious, obfuscated code. This malware was a cryptocurrency stealer designed to run on a compromised machine, intercepting browser activity and targeting Web3 wallets. The malicious code would hook into network requests and use a fuzzy-matching algorithm to replace a user’s wallet address with an attacker-controlled one during a transaction, silently redirecting funds without the user’s knowledge.

What are the packages affected?

This is the current list at ~0830GMT on 09 September 2025:

How do I know if I am affected?

If you are using Meterian and have Sentinel enabled, you’ve been notified. Please make sure to remove the offending package or move to a non-affected version, and then quarantine the affected systems.

If you are using Meterian, you will also notice that your builds are failing. This is normal, as now Meterian detects a vulnerable package and brings down the security score: the moment such score goes below your threshold, then the Meterian analysis will report a failure

In general, developers should audit their codebases for affected packages, monitor network logs for suspicious activity, and stay vigilant against compromised open-source libraries. This incident underscores the critical need for robust security practices in the software development lifecycle.

If you are a developer and you want to check if you’re affected, you can use a simple grep command in your project folder, where the packages are installed:

grep -r "_0x112fa8"

A Phishing campaign is actively ongoing targeting NPM maintainers!

This is an example of an email received by maintainers from the fake npmjs.help domain, which was created for the sole purpose of performing this attack. If you are an NPM maintainer, please be aware and disregard these emails!

Also, the website is now marked as malicious everywhere and is being taken down as we speak. Well done OSS community!

Article content

But I checked and I did not see any malicious code on GitHub!

The difference you’re seeing is due to how npm packages are published.

When a developer publishes a package, they’re not necessarily publishing the exact code from their GitHub repository. Instead, they run a command, npm publish, which creates a compressed file (a tarball) of the project’s files and sends that to the npm registry.

A maintainer can manually modify the files within this tarball before publishing, or their build process could include a step that modifies or adds code, such as minifying or obfuscating it. Because this process happens locally and the resulting tarball is sent directly to npm, these changes might never be committed to the public GitHub repository. This is why the code you see on the npmjs.com website can be different from the code in the associated GitHub

I am running a backend service: am I affected?

The code first confirms it’s running in a web browser by checking for the window object. Once it verifies the environment, it hijacks common methods for network requests and cryptocurrency transactions, specifically window.fetch, XMLHttpRequest, and window.ethereum.request. It also targets other wallet provider APIs.

This means the malware is designed to steal from end users who have a crypto wallet connected to their browser. While developers aren’t the primary target, they can also become victims if they visit an infected site and have an active wallet.

While the malicious code is designed to be activated in a browser, it is still a significant security risk to your backend service. Even though the malicious payload itself may not execute on the server, the compromised packages introduce a backdoor into your dependency chain. The best practice is to immediately update or remove the vulnerable packages to eliminate the risk of a future, more targeted attack on your server.

What’s next?

We will keep updating this article following the evolution of this incident. If you did not do it yet, please consider adding some defence in your pipeline: Meterian users using Sentinel were alerted overnight of the issue.

Best of luck, stay safe!

Update: Read the follow on attack in our blog post from Nov 24, 2025 about Shai-Hulud 2.0 worm.

Major supply chain attack on the NPM ecosystem

Does Your Video Platform Have This Vulnerability? A Case for Proactive Vulnerability Assessment

viviandufour1 Comment

In today’s digital-first economy, your brand story lives and breathes through video—from e-commerce product reels to customer testimonials and user-generated content. But what happens when the infrastructure behind that video platform becomes your weakest link?

A newly disclosed vulnerability in a popular open-source PHP platform is a clear reminder: routine vulnerability assessment is not optional. It’s the foundation for protecting both your customers and your brand’s digital identity. 

PHP: The Web’s Silent Workhorse and a Key Target

According to BuiltWith, PHP powers over 74% of the internet’s websites, including leading e-commerce platforms like Magento, WooCommerce, and Prestashop. These platforms handle millions in transactions and user data. Their popularity makes them prime targets for open-source security threats, particularly when dependencies and third-party components are not continuously monitored.

A 2024 report from IBM shows the average cost of a data breach now exceeds $4.35 million. But the real damage goes beyond financial loss—customer trust and brand reputation take the biggest hit.

The Exploit: CVE-2025-48732 in AVideo

The latest threat in this category comes from the wwbn/AVideo platform, which serves thousands of streaming and video hosting applications built in PHP.

  • CVE-2025-48732 is a critical-severity vulnerability (CVSS pending) caused by an incomplete blacklist validation for .phar files.
  • The flaw allows attackers to bypass upload restrictions and execute arbitrary code on the server.
  • The root cause? Improper handling of PHP archive files, which aren’t adequately blocked or validated.

This is a classic example of supply chain exposure through unpatched third-party libraries. Without proactive open-source vulnerability scanning, affected organisations remain blind to threats lurking in their dependencies.

We regularly analyse open source projects to identify security risks. The image below shows a short summary of the open source software library WWBN/AVideo, which has been found to have critical vulnerabilities.

Why Continuous Vulnerability Assessment Matters

This isn’t just about one vulnerability. It’s a wake-up call for all businesses using open-source frameworks to:

 ✅ Implement automated vulnerability assessment tools that scan your software supply chain in real-time
✅ Track emerging CVEs across your entire application stack
✅ Flag unsafe libraries and automatically suggest fixes
✅ Maintain a software bill of materials (SBOM) to understand your exposure footprint
✅ Integrate patching into your CI/CD pipeline for faster remediation

If your video platform or customer-facing application relies on AVideo, or any PHP component, you need a continuous security strategy to detect and resolve vulnerabilities before attackers strike.

Secure Your Platform Before It’s Compromised

At Meterian, we help teams detect and remediate vulnerabilities across their software supply chain through real-time open-source monitoring, automated remediation, and SBOM-driven visibility.

Want to know if your app is exposed to CVE-2025-48732?

Get a full breakdown of the AVideo vulnerability, exploit risks, and how to patch it now.
👉 Download our Security Report

Don’t wait to become the next headline. Stay ahead with intelligent, AI-powered vulnerability assessment.

Does Your Video Platform Have This Vulnerability? A Case for Proactive Vulnerability Assessment

Rethinking Open Source Security

viviandufour, , Leave a comment

Essential Steps for Leaders Before the Next Supply Chain Attack

Author: Rod Cobain • 4 min read

An illustration representing strategic leadership, featuring a businessman pointing and discussing strategy, alongside chess pieces, a light bulb symbolizing ideas, and a graph indicating growth.

A Storm Is Brewing

We live in an age of unprecedented digital dependency. From agile startups to global enterprises, modern organizations rely on interconnected software systems, primarily driven by open source software (OSS). While OSS is powerful, flexible, and cost-effective, it increasingly represents a critical cybersecurity risk.

Cyber attackers are aggressively exploiting open source vulnerabilities, targeting the tools and libraries that power global innovation. The question isn’t whether your organization uses open source software—it undoubtedly does. The critical question is: How effectively are you securing it?

This article will explore:

  • Why open source vulnerabilities attract cyber attacks.
  • The evolving nature of these threats.
  • The crucial role of cybersecurity thought leadership.
  • Strategic actions leaders must take immediately.

Open Source Software: The Expanding Attack Surface

The Prevalence of Open Source

  • 80-90% of modern applications incorporate OSS components.
  • OSS underpins critical infrastructure including finance, AI, and cloud services.
  • OSS adoption is accelerating within IoT and edge computing environments.

Why Attackers Target Open Source

  • A single vulnerability can impact thousands or millions of systems.
  • Attackers view the software supply chain as an attractive, often poorly defended target.
  • Many organizations lack visibility into OSS dependencies.

Recent High-Profile Incidents

  • Log4Shell (Log4j): A critical vulnerability in a widely used Java library triggered global disruption.
  • SolarWinds: Attackers infiltrated software updates, compromising numerous downstream systems.
  • MOVEit: Exploitation of a vulnerability in file-transfer software resulted in extensive data breaches.

These events signify a broader trend: cyber attacks exploiting OSS vulnerabilities are increasing in frequency and impact.

The Need for Thought Leadership

Challenging False Security Assumptions

Executives often mistakenly assume:

  • OSS security is someone else’s responsibility.
  • Commercial vendors adequately secure dependencies.
  • Development teams alone can manage open source risks effectively.

In reality:

  • OSS projects are often maintained by small volunteer teams.
  • Security debt accumulates rapidly.
  • Strategic oversight cannot be replaced by tools alone.

The Critical Role of Cybersecurity Thought Leadership

1. Driving Organizational Awareness

  • Treat software risk as a business risk.
  • Discuss OSS vulnerabilities regularly at board meetings.
  • Implement continuous monitoring and risk management strategies.

2. Building Industry Collaboration

  • Foster industry-wide partnerships to strengthen OSS security.
  • Support and participate in initiatives such as the Open Source Security Foundation (OpenSSF).

3. Influencing Public Policy

  • Advocate for clear software liability frameworks.
  • Promote mandatory Software Bill of Materials (SBOM) use for transparency and traceability.

4. Leading by Example

  • Adopt secure open source practices internally.
  • Showcase effective practices to peers and partners.
  • Contribute actively to open source communities.

Proactive Leadership Actions: Steps You Should Take Now

For CISOs, CEOs, and Security Officers:

  • Deploy comprehensive Software Composition Analysis (SCA) solutions.
  • Maintain a complete, continuously updated inventory of OSS components.
  • Embed security earlier into the development lifecycle (shift-left approach).
  • Accelerate patching of OSS vulnerabilities through automated remediation.
  • Engage with and support OSS communities financially and operationally.

For Executives and Board Members:

  • Request regular software supply chain risk assessments.
  • Allocate resources to enhance OSS security measures.
  • Support cross-industry initiatives and SBOM adoption.
  • Promote a culture where software security is central to business strategy.

The Broader Impact: Securing a Global Commons

Open source software represents a global digital commons. Poor security practices risk widespread systemic failure, not just isolated breaches. Robust thought leadership from security and business executives can act as a force multiplier by:

  • Driving critical awareness and urgency.
  • Shaping industry standards and best practices.
  • Influencing proactive, collaborative security cultures.

Without proactive leadership, organizations face continuous cycles of reactive firefighting. With it, we can build resilience and trust in the digital future.

Conclusion: Your Leadership Legacy

The stakes have never been higher:

  • Attackers are innovating rapidly.
  • OSS vulnerabilities will continue to surface and be exploited.
  • Regulatory landscapes and liability expectations are evolving quickly.

Now is the time for bold cybersecurity leadership that transcends organizational silos, engages across industries, and shapes global security practices. As a leader, ask yourself:

  • Is your organization prepared for the next OSS attack?
  • Are you shaping the conversation or merely reacting?
  • What legacy will you leave in securing the software that powers the world?

The future of digital trust depends on your answers.

Rethinking Open Source Security

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

viviandufour, , , Leave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow.  We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level?  Check out our product page infographic to see how our database stacks up against the competition.

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

Big News for Flutter Fans: Meterian Now Supports Dart!

bbossola, , , , , Leave a comment

Great news for all you mobile developers out there! Meterian, a leading Software Composition Analysis (SCA) platform, has just rolled out support for Dart, the programming language that’s become super popular for building Flutter apps. If you’re crafting mobile apps with Flutter, this update is specially tailored for you. Let’s dive into what this means and why it’s a game changer for Flutter developers.

Why Dart and Flutter are a big Deal

Developed by Google, Dart is all about building smooth and stunning mobile and web applications, and it’s the powerhouse behind Flutter—Google’s UI toolkit for crafting beautiful, natively compiled applications from a single codebase. Flutter’s ability to deliver apps that feel great on both Android and iOS has made it a hot favorite. With Dart now getting the spotlight it deserves, security and efficiency in app development are set to reach new heights.

Meterian embraces Dart

With Dart on its radar, Meterian is making sure that your development toolkit is not just powerful but also secure. This inclusion means Meterian can now safeguard your Flutter projects right from the get-go, catching potential security slip-ups before they become real headaches.

Meterian’s leap to include Dart is more than just an update—it’s setting a new standard for mobile app security. By embracing the needs of the Flutter community, Meterian is not only beefing up the security of apps but is also paving the way for projects that scale smoothly and stay robust under pressure.

What’s in it for Flutter developers?

We believe Flutter will eventually get a dominant position in the mobile development scene, so it’s essential to have tools that ensure that your applications are rock-solid safe. Meterian’s support for Dart brings you a suite of benefits:

  • Boosted Security: Spot vulnerabilities early in the development cycle with Meterian’s SCA tools, keeping your apps safe from security threats.
  • Stay on the Right Side of Compliance: Keep up with the latest security standards easily, ensuring your app complies with legal and regulatory requirements.
  • Seamless Development Flow: Meterian fits right into your existing workflows, helping you patch up security issues without slowing you down.
  • Scale with Confidence: As your app grows, Meterian grows with it, making sure that even the most complex projects stay manageable and secure.

I want to use Meterian: what should I do?

Meterian is free for open source projects! If you have a GitHub OSS project, you can easily integrate Meterian using the GitHub Action following this step-by-step guide or you can checkout this live example on GitHub. We do have also native integrations with BitBucket and Azure Devops, and also integrations with other CI/CD platforms.

Meterian is here to help!

With Dart in Meterian’s toolkit, it’s an exciting time to be building apps with Flutter. This move shows Meterian’s commitment to supporting the latest and greatest in app development, making it easier for you to build apps that aren’t just awesome but are also secure and compliant. To learn more about Meterian’s support for Dart/Flutter and how it can help improve the security of your projects, visit Meterian’s website at www.meterian.io.

Big News for Flutter Fans: Meterian Now Supports Dart!