vulnerability

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

bbossola, , Leave a comment
6–9 minutes
Shai-Hulud 2.0: What executives need to know about the new npm supply-chain worm (Nov 24, 2025)

On November 24, 2025, a second wave of the “Shai-Hulud” npm supply-chain attack began spreading through the JavaScript ecosystem. Attackers compromised maintainer accounts, published trojanized versions of legitimate packages, and used them as a worm to steal credentials and propagate into more projects and organizations.

What happened (in plain terms)

  • Trusted packages were silently replaced with malicious updates. When developers or CI systems installed these versions, the malware ran automatically during install.
  • The malware steals secrets at scale. The payload hunts for npm/GitHub tokens and cloud credentials, then exfiltrates them to attacker-controlled repos.
  • This wave is more capable than September’s. Researchers observed improved execution (including the Bun runtime) and broader credential targeting, making infection faster and harder to spot.
  • High-profile vendors were hit. Packages tied to Zapier, ENS Domains, Postman, PostHog, AsyncAPI and others were compromised, showing the attackers can reach well-run projects—not just obscure libs.

Why this matters to your business

This is not a “developer problem.” It is a direct enterprise risk:

  1. Credential theft = account takeover. If a compromised package was installed in your environment, assume tokens and keys on that machine (or CI runner) may be stolen. That can lead to cloud breaches, source-code theft, or ransomware-style follow-on attacks.
  2. Supply chain blast radius is huge. npm packages are deeply nested in modern apps. One infected dependency can taint many internal services before anyone notices. The campaign has already spread into tens of thousands of GitHub repos.
  3. Regulatory and reputational exposure. If attacker access leads to customer data loss or service disruption, you face incident-response costs, disclosure obligations, and trust damage.

Immediate actions (next 24–72 hours) for your engineering team

If your engineering team uses Node.js / npm anywhere:

  1. Identify exposure.
    • Compare your dependency lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to the known malicious package/version list from current advisories
    • Search CI logs and build images for installs of those versions around Nov 24, 2025 onward.
    • If you are using Meterian, your teams will be notified tomorrow of any outstanding issue in your projects, while you can also manually trigger a rescan
  2. Treat potentially affected environments as compromised.
    • Rotate all secrets that could have been accessible to developer machines or CI runners: npm tokens, GitHub tokens, cloud keys, DB creds, SaaS API keys.
    • Re-issue creds from a clean machine.
  3. Hunt for persistence.
    • Check for unexpected GitHub Actions / CI workflows, new secrets, or unfamiliar deploy keys. Earlier Shai-Hulud waves used CI backdoors to keep access.
  4. Block known bad versions now.
    • Add deny-lists in artifact proxies (e.g., npm registry mirrors) and internal policy gates.
    • Pin safe versions until the incident stabilizes.

Medium-term fixes (next few weeks) for your engineering team

  • Eliminate long-lived registry tokens. The attack leveraged stolen or weakly protected maintainer/CI tokens; reducing token lifetime and scope cuts worm propagation.
  • Harden CI/CD. Run builds in isolated runners with minimal secrets; require approvals for workflow changes.
  • Adopt dependency trust controls.
    • Prefer verified publishing / signed releases where available.
    • Add automated checks for sudden owner changes, new install scripts, or unusual publish patterns.

The take-home

Shai-Hulud 2.0 is a credential-stealing worm riding on the npm ecosystem. It spreads through normal installs, targets high-value developer and cloud secrets, and has already hit mainstream packages. The right executive posture is: assume compromise if exposed, rotate secrets fast, and tighten the software supply chain permanently. After last September’s incident, we predicted this would rear its ugly head again. Watch a brief update and warning shared earlier this week at one of our meetings.

Meterian CTO Bruno Bossola shares the growing blast radius and all consumers of NPM must stop it

This is a story under development!

Please keep an eye on this blog page, in the meantime here’s the list of affected packages and versions so far:

Package Malicious version(s)
Package name Affected versions
@accordproject/concerto-analysis 3.24.1
@accordproject/concerto-linter 3.24.1
@accordproject/concerto-linter-default-ruleset 3.24.1
@accordproject/concerto-metamodel 3.12.5
@accordproject/concerto-types 3.24.1
@accordproject/markdown-it-cicero 0.16.26
@accordproject/template-engine 2.7.2
@actbase/css-to-react-native-transform 1.0.3
@actbase/native 0.1.32
@actbase/node-server 1.1.19
@actbase/react-absolute 0.8.3
@actbase/react-daum-postcode 1.0.5
@actbase/react-kakaosdk 0.9.27
@actbase/react-native-actionsheet 1.0.3
@actbase/react-native-devtools 0.1.3
@actbase/react-native-fast-image 8.5.13
@actbase/react-native-kakao-channel 1.0.2
@actbase/react-native-kakao-navi 2.0.4
@actbase/react-native-less-transformer 1.0.6
@actbase/react-native-naver-login 1.0.1
@actbase/react-native-simple-video 1.0.13
@actbase/react-native-tiktok 1.1.3
@afetcan/api 0.0.13
@afetcan/storage 0.0.27
@alexadark/amadeus-api 1.0.4
@alexadark/gatsby-theme-events 1.0.1
@alexadark/gatsby-theme-wordpress-blog 2.0.1
@alexadark/reusable-functions 1.5.1
@alexcolls/nuxt-socket.io 0.0.7|0.0.8
@alexcolls/nuxt-ux 0.6.1|0.6.2
@alexcolls/nuxt-ux 0.6.2|0.6.1
@antstackio/eslint-config-antstack 0.0.3
@antstackio/express-graphql-proxy 0.2.8
@antstackio/graphql-body-parser 0.1.1
@antstackio/json-to-graphql 1.0.3
@antstackio/shelbysam 1.1.7
@aryanhussain/my-angular-lib 0.0.23
@asyncapi/dotnet-rabbitmq-template 1.0.2|1.0.1
@asyncapi/edavisualiser 1.2.2|1.2.1
@asyncapi/go-watermill-template 0.2.76|0.2.77
@asyncapi/java-template 0.3.6|0.3.5
@asyncapi/keeper 0.0.3|0.0.2
@asyncapi/php-template 0.1.2|0.1.1
@asyncapi/python-paho-template 0.2.15|0.2.14
@asyncapi/server-api 0.16.25|0.16.24
@asyncapi/studio 1.0.3|1.0.2
@asyncapi/web-component 2.6.7|2.6.6
@bdkinc/knex-ibmi 0.5.7
@browserbasehq/bb9 1.2.21
@browserbasehq/director-ai 1.0.3
@browserbasehq/mcp 2.1.1
@browserbasehq/mcp-server-browserbase 2.4.2
@browserbasehq/sdk-functions 0.0.4
@browserbasehq/stagehand 3.0.4
@browserbasehq/stagehand-docs 1.0.1
@caretive/caret-cli 0.0.2
@chtijs/eslint-config 1.0.1
@clausehq/flows-step-httprequest 0.1.14
@clausehq/flows-step-jsontoxml 0.1.14
@clausehq/flows-step-mqtt 0.1.14
@clausehq/flows-step-sendgridemail 0.1.14
@clausehq/flows-step-taskscreateurl 0.1.14
@cllbk/ghl 1.3.1
@commute/bloom 1.0.3
@commute/market-data 1.0.2
@commute/market-data-chartjs 2.3.1
@dev-blinq/ai-qa-logic 1.0.19
@dev-blinq/cucumber_client 1.0.738
@dev-blinq/cucumber-js 1.0.131
@dev-blinq/ui-systems 1.0.93
@ensdomains/address-encoder 1.1.5
@ensdomains/blacklist 1.0.1
@ensdomains/buffer 0.1.2
@ensdomains/ccip-read-cf-worker 0.0.4
@ensdomains/ccip-read-dns-gateway 0.1.1
@ensdomains/ccip-read-router 0.0.7
@ensdomains/ccip-read-worker-viem 0.0.4
@ensdomains/content-hash 3.0.1
@ensdomains/curvearithmetics 1.0.1
@ensdomains/cypress-metamask 1.2.1
@ensdomains/dnsprovejs 0.5.3
@ensdomains/dnssec-oracle-anchors 0.0.2
@ensdomains/dnssecoraclejs 0.2.9
@ensdomains/durin 0.1.2
@ensdomains/durin-middleware 0.0.2
@ensdomains/ens-archived-contracts 0.0.3
@ensdomains/ens-avatar 1.0.4
@ensdomains/ens-contracts 1.6.1
@ensdomains/ens-test-env 1.0.2
@ensdomains/ens-validation 0.1.1
@ensdomains/ensjs 4.0.3
@ensdomains/ensjs-react 0.0.5
@ensdomains/eth-ens-namehash 2.0.16
@ensdomains/hackathon-registrar 1.0.5
@ensdomains/hardhat-chai-matchers-viem 0.1.15
@ensdomains/hardhat-toolbox-viem-extended 0.0.6
@ensdomains/mock 2.1.52
@ensdomains/name-wrapper 1.0.1
@ensdomains/offchain-resolver-contracts 0.2.2
@ensdomains/op-resolver-contracts 0.0.2
@ensdomains/react-ens-address 0.0.32
@ensdomains/renewal 0.0.13
@ensdomains/renewal-widget 0.1.10
@ensdomains/reverse-records 1.0.1
@ensdomains/server-analytics 0.0.2
@ensdomains/solsha1 0.0.4
@ensdomains/subdomain-registrar 0.2.4
@ensdomains/test-utils 1.3.1
@ensdomains/thorin 0.6.51
@ensdomains/ui 3.4.6
@ensdomains/unicode-confusables 0.1.1
@ensdomains/unruggable-gateways 0.0.3
@ensdomains/vite-plugin-i18next-loader 4.0.4
@ensdomains/web3modal 1.10.2
@everreal/react-charts 2.0.2
@everreal/react-charts 2.0.1|2.0.2
@everreal/validate-esmoduleinterop-imports 1.4.5
@everreal/validate-esmoduleinterop-imports 1.4.4|1.4.5
@everreal/web-analytics 0.0.2
@everreal/web-analytics 0.0.1|0.0.2
@faq-component/core 0.0.4
@faq-component/react 1.0.1
@fishingbooker/browser-sync-plugin 1.0.5
@fishingbooker/react-loader 1.0.7
@fishingbooker/react-pagination 2.0.6
@fishingbooker/react-raty 2.0.1
@fishingbooker/react-swiper 0.1.5
@hapheus/n8n-nodes-pgp 1.5.1
@hover-design/core 0.0.1
@hover-design/react 0.2.1
@huntersofbook/auth-vue 0.4.2
@huntersofbook/core 0.5.1
@huntersofbook/core-nuxt 0.4.2
@huntersofbook/form-naiveui 0.5.1
@huntersofbook/i18n 0.8.2
@huntersofbook/ui 0.5.1
@hyperlook/telemetry-sdk 1.0.19
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2|0.1.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
@ifings/design-system 4.9.2
@ifings/metatron3 0.1.5
@jayeshsadhwani/telemetry-sdk 1.0.14
@kvytech/cli 0.0.7
@kvytech/components 0.0.2
@kvytech/habbit-e2e-test 0.0.2
@kvytech/medusa-plugin-announcement 0.0.8
@kvytech/medusa-plugin-management 0.0.5
@kvytech/medusa-plugin-newsletter 0.0.5
@kvytech/medusa-plugin-product-reviews 0.0.9
@kvytech/medusa-plugin-promotion 0.0.2
@kvytech/web 0.0.2
@lessondesk/api-client 9.12.2|9.12.3
@lessondesk/api-client 9.12.3|9.12.2
@lessondesk/babel-preset 1.0.1
@lessondesk/electron-group-api-client 1.0.3
@lessondesk/eslint-config 1.4.2
@lessondesk/material-icons 1.0.3
@lessondesk/react-table-context 2.0.4
@lessondesk/schoolbus 5.2.2|5.2.3
@livecms/live-edit 0.0.32
@livecms/nuxt-live-edit 1.9.2
@louisle2/core 1.0.1
@louisle2/cortex-js 0.1.6
@lpdjs/firestore-repo-service 1.0.1
@lui-ui/lui-nuxt 0.1.1
@lui-ui/lui-tailwindcss 0.1.2
@lui-ui/lui-vue 1.0.13
@markvivanco/app-version-checker 1.0.2|1.0.1
@ntnx/passport-wso2 0.0.3
@ntnx/t 0.0.101
@oku-ui/accordion 0.6.2
@oku-ui/alert-dialog 0.6.2
@oku-ui/arrow 0.6.2
@oku-ui/aspect-ratio 0.6.2
@oku-ui/avatar 0.6.2
@oku-ui/checkbox 0.6.3
@oku-ui/collapsible 0.6.2
@oku-ui/collection 0.6.2
@oku-ui/dialog 0.6.2
@oku-ui/direction 0.6.2
@oku-ui/dismissable-layer 0.6.2
@oku-ui/focus-guards 0.6.2
@oku-ui/focus-scope 0.6.2
@oku-ui/hover-card 0.6.2
@oku-ui/label 0.6.2
@oku-ui/menu 0.6.2
@oku-ui/motion 0.4.4
@oku-ui/motion-nuxt 0.2.2
@oku-ui/popover 0.6.2
@oku-ui/popper 0.6.2
@oku-ui/portal 0.6.2
@oku-ui/presence 0.6.2
@oku-ui/primitive 0.6.2
@oku-ui/primitives 0.7.9
@oku-ui/primitives-nuxt 0.3.1
@oku-ui/progress 0.6.2
@oku-ui/provide 0.6.2
@oku-ui/radio-group 0.6.2
@oku-ui/roving-focus 0.6.2
@oku-ui/scroll-area 0.6.2
@oku-ui/separator 0.6.2
@oku-ui/slider 0.6.2
@oku-ui/slot 0.6.2
@oku-ui/switch 0.6.2
@oku-ui/tabs 0.6.2
@oku-ui/toast 0.6.2
@oku-ui/toggle 0.6.2
@oku-ui/toggle-group 0.6.2
@oku-ui/toolbar 0.6.2
@oku-ui/tooltip 0.6.2
@oku-ui/use-composable 0.6.2
@oku-ui/utils 0.6.2
@oku-ui/visually-hidden 0.6.2
@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode 2.0.5
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode 1.1.1
@orbitgtbelgium/orbit-components 1.2.9
@orbitgtbelgium/time-slider 1.0.187
@osmanekrem/bmad 1.0.6
@osmanekrem/error-handler 1.2.2
@pergel/cli 0.11.1
@pergel/module-box 0.6.1
@pergel/module-graphql 0.6.1
@pergel/module-ui 0.0.9
@pergel/nuxt 0.25.5
@posthog/agent 1.24.1
@posthog/ai 7.1.2
@posthog/cli 0.5.15
@posthog/clickhouse 1.7.1
@posthog/core 1.5.6
@posthog/hedgehog-mode 0.0.42
@posthog/icons 0.36.1
@posthog/lemon-ui 0.0.1
@posthog/nextjs-config 1.5.1
@posthog/nuxt 1.2.9
@posthog/piscina 3.2.1
@posthog/plugin-contrib 0.0.6
@posthog/react-rrweb-player 1.1.4
@posthog/rrdom 0.0.31
@posthog/rrweb 0.0.31
@posthog/rrweb-player 0.0.31
@posthog/rrweb-record 0.0.31
@posthog/rrweb-replay 0.0.19
@posthog/rrweb-snapshot 0.0.31
@posthog/rrweb-utils 0.0.31
@posthog/siphash 1.1.2
@posthog/wizard 1.18.1
@postman/aether-icons 2.23.4|2.23.3|2.23.2
@postman/csv-parse 4.0.5|4.0.3|4.0.4
@postman/node-keytar 7.9.6|7.9.4|7.9.5
@postman/tunnel-agent 0.6.7|0.6.6|0.6.5
@pradhumngautam/common-app 1.0.2
@productdevbook/animejs-vue 0.2.1
@productdevbook/auth 0.2.2
@productdevbook/chatwoot 2.0.1
@productdevbook/motion 1.0.4
@productdevbook/ts-i18n 1.4.2
@pruthvi21/use-debounce 1.0.3
@quick-start-soft/quick-document-translator 1.4.2511142126
@quick-start-soft/quick-git-clean-markdown 1.4.2511142126
@quick-start-soft/quick-markdown 1.4.2511142126
@quick-start-soft/quick-markdown-compose 1.4.2506300029
@quick-start-soft/quick-markdown-image 1.4.2511142126
@quick-start-soft/quick-markdown-print 1.4.2511142126
@quick-start-soft/quick-markdown-translator 1.4.2509202331
@quick-start-soft/quick-remove-image-background 1.4.2511142126
@quick-start-soft/quick-task-refine 1.4.2511142126
@relyt/claude-context-core 0.1.1
@sameepsi/sor 1.0.3
@sameepsi/sor2 2.0.2
@seezo/sdr-mcp-server 0.0.5
@seung-ju/next 0.0.2
@seung-ju/openapi-generator 0.0.4
@seung-ju/react-hooks 0.0.2
@seung-ju/react-native-action-sheet 0.2.1
@silgi/better-auth 0.8.1
@silgi/drizzle 0.8.4
@silgi/ecosystem 0.7.6
@silgi/graphql 0.7.15
@silgi/module-builder 0.8.8
@silgi/openapi 0.7.4
@silgi/permission 0.6.8
@silgi/ratelimit 0.2.1
@silgi/scalar 0.6.2
@silgi/yoga 0.7.1
@sme-ui/aoma-vevasound-metadata-lib 0.1.3
@strapbuild/react-native-date-time-picker 2.0.4
@strapbuild/react-native-perspective-image-cropper 0.4.15
@strapbuild/react-native-perspective-image-cropper-2 0.4.7
@strapbuild/react-native-perspective-image-cropper-poojan31 0.4.6
@suraj_h/medium-common 1.0.5
@thedelta/eslint-config 1.0.2
@tiaanduplessis/json 2.0.2|2.0.3
@tiaanduplessis/json 2.0.3|2.0.2
@tiaanduplessis/react-progressbar 1.0.1|1.0.2
@tiaanduplessis/react-progressbar 1.0.2|1.0.1
@trackstar/angular-trackstar-link 1.0.2
@trackstar/react-trackstar-link 2.0.21
@trackstar/react-trackstar-link-upgrade 1.1.10
@trackstar/test-angular-package 0.0.9
@trackstar/test-package 1.1.5
@trefox/sleekshop-js 0.1.6
@trigo/atrix 7.0.1
@trigo/atrix-elasticsearch 2.0.1
@trigo/atrix-postgres 1.0.3
@trigo/atrix-pubsub 4.0.3
@trigo/atrix-soap 1.0.2
@trigo/atrix-swagger 3.0.1
@trigo/bool-expressions 4.1.3
@trigo/eslint-config-trigo 3.3.1
@trigo/fsm 3.4.2
@trigo/hapi-auth-signedlink 1.3.1
@trigo/pathfinder-ui-css 0.1.1
@trigo/trigo-hapijs 5.0.1
@trpc-rate-limiter/cloudflare 0.1.4
@trpc-rate-limiter/hono 0.1.4
@varsityvibe/api-client 1.3.36|1.3.37
@varsityvibe/utils 5.0.6
@varsityvibe/validation-schemas 0.6.7|0.6.8
@viapip/eslint-config 0.2.4
@vishadtyagi/full-year-calendar 0.1.11
@voiceflow/alexa-types 2.15.61
@voiceflow/alexa-types 2.15.60|2.15.61
@voiceflow/anthropic 0.4.4|0.4.5
@voiceflow/api-sdk 3.28.59
@voiceflow/api-sdk 3.28.58|3.28.59
@voiceflow/backend-utils 5.0.1|5.0.2
@voiceflow/backend-utils 5.0.2|5.0.1
@voiceflow/base-types 2.136.2|2.136.3
@voiceflow/base-types 2.136.3|2.136.2
@voiceflow/body-parser 1.21.2|1.21.3
@voiceflow/chat-types 2.14.58|2.14.59
@voiceflow/chat-types 2.14.59|2.14.58
@voiceflow/circleci-config-sdk-orb-import 0.2.1|0.2.2
@voiceflow/commitlint-config 2.6.1
@voiceflow/commitlint-config 2.6.2|2.6.1
@voiceflow/common 8.9.1|8.9.2
@voiceflow/default-prompt-wrappers 1.7.3|1.7.4
@voiceflow/default-prompt-wrappers 1.7.4|1.7.3
@voiceflow/dependency-cruiser-config 1.8.11|1.8.12
@voiceflow/dependency-cruiser-config 1.8.12|1.8.11
@voiceflow/dtos-interact 1.40.1|1.40.2
@voiceflow/dtos-interact 1.40.2|1.40.1
@voiceflow/encryption 0.3.2|0.3.3
@voiceflow/encryption 0.3.3|0.3.2
@voiceflow/eslint-config 7.16.4|7.16.5
@voiceflow/eslint-plugin 1.6.1|1.6.2
@voiceflow/eslint-plugin 1.6.2|1.6.1
@voiceflow/exception 1.10.1|1.10.2
@voiceflow/exception 1.10.2|1.10.1
@voiceflow/fetch 1.11.1|1.11.2
@voiceflow/general-types 3.2.22|3.2.23
@voiceflow/general-types 3.2.23|3.2.22
@voiceflow/git-branch-check 1.4.3
@voiceflow/git-branch-check 1.4.4|1.4.3
@voiceflow/google-dfes-types 2.17.12|2.17.13
@voiceflow/google-types 2.21.13
@voiceflow/google-types 2.21.12|2.21.13
@voiceflow/husky-config 1.3.1
@voiceflow/husky-config 1.3.1|1.3.2
@voiceflow/logger 2.4.2|2.4.3
@voiceflow/logger 2.4.3|2.4.2
@voiceflow/metrics 1.5.1|1.5.2
@voiceflow/metrics 1.5.2|1.5.1
@voiceflow/natural-language-commander 0.5.2|0.5.3
@voiceflow/nestjs-common 2.75.2|2.75.3
@voiceflow/nestjs-mongodb 1.3.1|1.3.2
@voiceflow/nestjs-rate-limit 1.3.2|1.3.3
@voiceflow/nestjs-rate-limit 1.3.3|1.3.2
@voiceflow/nestjs-redis 1.3.1|1.3.2
@voiceflow/nestjs-timeout 1.3.1
@voiceflow/nestjs-timeout 1.3.1|1.3.2
@voiceflow/npm-package-json-lint-config 1.1.1
@voiceflow/npm-package-json-lint-config 1.1.1|1.1.2
@voiceflow/openai 3.2.2|3.2.3
@voiceflow/pino 6.11.3|6.11.4
@voiceflow/pino 6.11.4|6.11.3
@voiceflow/pino-pretty 4.4.1|4.4.2
@voiceflow/pino-pretty 4.4.2|4.4.1
@voiceflow/prettier-config 1.10.1
@voiceflow/prettier-config 1.10.2|1.10.1
@voiceflow/react-chat 1.65.4
@voiceflow/react-chat 1.65.4|1.65.3
@voiceflow/runtime 1.29.1|1.29.2
@voiceflow/runtime-client-js 1.17.2|1.17.3
@voiceflow/runtime-client-js 1.17.3|1.17.2
@voiceflow/sdk-runtime 1.43.1|1.43.2
@voiceflow/sdk-runtime 1.43.2|1.43.1
@voiceflow/secrets-provider 1.9.2
@voiceflow/secrets-provider 1.9.3|1.9.2
@voiceflow/semantic-release-config 1.4.1
@voiceflow/semantic-release-config 1.4.2|1.4.1
@voiceflow/serverless-plugin-typescript 2.1.7|2.1.8
@voiceflow/slate-serializer 1.7.3|1.7.4
@voiceflow/slate-serializer 1.7.4|1.7.3
@voiceflow/stitches-react 2.3.2|2.3.3
@voiceflow/stitches-react 2.3.3|2.3.2
@voiceflow/storybook-config 1.2.2|1.2.3
@voiceflow/stylelint-config 1.1.1
@voiceflow/stylelint-config 1.1.1|1.1.2
@voiceflow/test-common 2.1.1|2.1.2
@voiceflow/tsconfig 1.12.1
@voiceflow/tsconfig 1.12.2|1.12.1
@voiceflow/tsconfig-paths 1.1.4|1.1.5
@voiceflow/tsconfig-paths 1.1.5|1.1.4
@voiceflow/utils-designer 1.74.20
@voiceflow/utils-designer 1.74.19|1.74.20
@voiceflow/verror 1.1.4
@voiceflow/verror 1.1.5|1.1.4
@voiceflow/vite-config 2.6.2|2.6.3
@voiceflow/vitest-config 1.10.2|1.10.3
@voiceflow/vitest-config 1.10.3|1.10.2
@voiceflow/voice-types 2.10.58|2.10.59
@voiceflow/voice-types 2.10.59|2.10.58
@voiceflow/voiceflow-types 3.32.45|3.32.46
@voiceflow/widget 1.7.18|1.7.19
@vucod/email 0.0.3
@zapier/ai-actions 0.1.20|0.1.19|0.1.18
@zapier/babel-preset-zapier 6.4.2|6.4.1|6.4.3
@zapier/browserslist-config-zapier 1.0.4|1.0.3|1.0.5
@zapier/secret-scrubber 1.1.5|1.1.4|1.1.3
02-echo 0.0.7
ai-crowl-shield 1.0.7
arc-cli-fc 1.0.1
asciitranslator 1.0.3
asyncapi-preview 1.0.2|1.0.1
atrix 1.0.1
automation_model 1.0.491
avvvatars-vue 1.1.2
axios-builder 1.2.1
axios-cancelable 1.0.1|1.0.2
axios-cancelable 1.0.2|1.0.1
axios-timed 1.0.1|1.0.2
axios-timed 1.0.2|1.0.1
barebones-css 1.1.3|1.1.4
barebones-css 1.1.4|1.1.3
benmostyn-frame-print 1.0.1
best_gpio_controller 1.0.10
bestgpiocontroller 1.0.10
better-auth-nuxt 0.0.10
bidirectional-adapter 1.2.2|1.2.3|1.2.4
bidirectional-adapter 1.2.2|1.2.4|1.2.5|1.2.3
blinqio-executions-cli 1.0.41
blob-to-base64 1.0.3
buffered-interpolation-babylon6 0.2.8
bun-plugin-httpfile 0.1.1
bytecode-checker-cli 1.0.11|1.0.8|1.0.9|1.0.10
bytes-to-x 1.0.1
calc-loan-interest 1.0.4
capacitor-plugin-apptrackingios 0.0.21
capacitor-plugin-purchase 0.1.1
capacitor-plugin-scgssigninwithgoogle 0.0.5
capacitor-purchase-history 0.0.10
capacitor-voice-recorder-wav 6.0.3
ceviz 0.0.5
chrome-extension-downloads 0.0.3|0.0.4
claude-token-updater 1.0.3
coinmarketcap-api 3.1.2|3.1.3
coinmarketcap-api 3.1.3|3.1.2
colors-regex 2.0.1
command-irail 0.5.4
compare-obj 1.1.1|1.1.2
composite-reducer 1.0.2|1.0.3|1.0.4|1.0.5
composite-reducer 1.0.4|1.0.3|1.0.2|1.0.5
count-it-down 1.0.1|1.0.2
count-it-down 1.0.2|1.0.1
cpu-instructions 0.0.14
create-director-app 0.1.1
create-glee-app 0.2.3|0.2.2
create-hardhat3-app 1.1.4|1.1.3|1.1.1|1.1.2
create-silgi 0.3.1
crypto-addr-codec 0.1.9
css-dedoupe 0.1.2
csv-tool-cli 1.2.1
dashboard-empty-state 1.0.3
designstudiouiux 1.0.1
devstart-cli 1.0.6
dialogflow-es 1.1.4|1.1.3|1.1.1|1.1.2
discord-bot-server 0.1.2
docusaurus-plugin-vanilla-extract 1.0.3
dont-go 1.1.2
dotnet-template 0.0.3|0.0.4
drop-events-on-property-plugin 0.0.2
easypanel-sdk 0.3.2
email-deliverability-tester 1.1.1
enforce-branch-name 1.1.3
esbuild-plugin-brotli 0.2.1
esbuild-plugin-eta 0.1.1
esbuild-plugin-httpfile 0.4.1
eslint-config-nitpicky 4.0.1
eslint-config-trigo 22.0.2
eslint-config-zeallat-base 1.0.4
ethereum-ens 0.8.1
evm-checkcode-cli 1.0.15|1.0.12|1.0.13|1.0.14
exact-ticker 0.3.5
expo-audio-session 0.2.1
expo-router-on-rails 0.0.4
express-starter-template 1.0.10
expressos 1.1.3
fat-fingered 1.0.1|1.0.2
fat-fingered 1.0.2|1.0.1
feature-flip 1.0.1|1.0.2
feature-flip 1.0.2|1.0.1
firestore-search-engine 1.2.3
fittxt 1.0.2|1.0.3
fittxt 1.0.3|1.0.2
flapstacks 1.0.1|1.0.2
flapstacks 1.0.2|1.0.1
flatten-unflatten 1.0.1|1.0.2
flatten-unflatten 1.0.2|1.0.1
formik-error-focus 2.0.1
formik-store 1.0.1
frontity-starter-theme 1.0.1
fuzzy-finder 1.0.5|1.0.6
gate-evm-check-code2 2.0.3|2.0.4|2.0.5|2.0.6
gate-evm-tools-test 1.0.7|1.0.8|1.0.5|1.0.6
gatsby-plugin-antd 2.2.1
gatsby-plugin-cname 1.0.1|1.0.2
gatsby-plugin-cname 1.0.2|1.0.1
generator-meteor-stock 0.1.6
generator-ng-itobuz 0.0.15
get-them-args 1.3.3
github-action-for-generator 2.1.28
github-action-for-generator 2.1.28|2.1.27
gitsafe 1.0.5
go-template 0.1.8|0.1.9
gulp-inject-envs 1.2.1|1.2.2
gulp-inject-envs 1.2.2|1.2.1
haufe-axera-api-client 0.0.2
haufe-axera-api-client 0.0.1|0.0.2
hope-mapboxdraw 0.1.1
hopedraw 1.0.3
hover-design-prototype 0.0.5
httpness 1.0.2|1.0.3
httpness 1.0.3|1.0.2
hyper-fullfacing 1.0.3
hyperterm-hipster 1.0.7
ids-css 1.5.1
ids-enterprise-mcp-server 0.0.2
ids-enterprise-ng 20.1.6
ids-enterprise-typings 20.1.6
image-to-uri 1.0.1|1.0.2
image-to-uri 1.0.2|1.0.1
insomnia-plugin-random-pick 1.0.4
invo 0.2.2
iron-shield-miniapp 0.0.2
ito-button 8.0.3
itobuz-angular 0.0.1
itobuz-angular-auth 8.0.11
itobuz-angular-button 8.0.11
jacob-zuma 1.0.1|1.0.2
jacob-zuma 1.0.2|1.0.1
jaetut-varit-test 1.0.2
jan-browser 0.13.1
jquery-bindings 1.1.2|1.1.3
jquery-bindings 1.1.3|1.1.2
jsonsurge 1.0.7
just-toasty 1.7.1
kill-port 2.0.2|2.0.3
kill-port 2.0.3|2.0.2
kinetix-default-token-list 1.0.5
kns-error-code 1.0.8
korea-administrative-area-geo-json-util 1.0.7
kwami 1.5.9|1.5.10
lang-codes 1.0.1|1.0.2
lang-codes 1.0.2|1.0.1
license-o-matic 1.2.1|1.2.2
license-o-matic 1.2.2|1.2.1
lint-staged-imagemin 1.3.1|1.3.2
lite-serper-mcp-server 0.2.2
lui-vue-test 0.70.9
luno-api 1.2.3
m25-transaction-utils 1.1.16
manual-billing-system-miniapp-api 1.3.1
medusa-plugin-announcement 0.0.3
medusa-plugin-logs 0.0.17
medusa-plugin-momo 0.0.68
medusa-plugin-product-reviews-kvy 0.0.4
medusa-plugin-zalopay 0.0.40
mod10-check-digit 1.0.1
mon-package-react-typescript 1.0.1
my-saeed-lib 0.1.1
n8n-nodes-tmdb 0.5.1
n8n-nodes-vercel-ai-sdk 0.1.7
n8n-nodes-viral-app 0.2.5
nanoreset 7.0.1|7.0.2
nanoreset 7.0.2|7.0.1
next-circular-dependency 1.0.2|1.0.3
next-circular-dependency 1.0.3|1.0.2
next-simple-google-analytics 1.1.1|1.1.2
next-styled-nprogress 1.0.4|1.0.5
ngx-useful-swiper-prosenjit 9.0.2
ngx-wooapi 12.0.1
nitro-graphql 1.5.12
nitro-kutu 0.1.1
nitrodeploy 1.0.8
nitroping 0.1.1
normal-store 1.3.1|1.3.2|1.3.3
normal-store 1.3.1|1.3.4|1.3.3|1.3.2
nuxt-keycloak 0.2.2
obj-to-css 1.0.2|1.0.3
obj-to-css 1.0.3|1.0.2
okta-react-router-6 5.0.1
open2internet 0.1.1
orbit-boxicons 2.1.3
orbit-nebula-draw-tools 1.0.10
orbit-nebula-editor 1.0.2
orbit-soap 0.43.13
orchestrix 12.1.2
package-tester 1.0.1
parcel-plugin-asset-copier 1.1.2|1.1.3
parcel-plugin-asset-copier 1.1.3|1.1.2
pdf-annotation 0.0.2
pergel 0.13.2
pergeltest 0.0.25
piclite 1.0.1
pico-uid 1.0.3|1.0.4
pico-uid 1.0.4|1.0.3
pkg-readme 1.1.1
poper-react-sdk 0.1.2
posthog-docusaurus 2.0.6
posthog-js 1.297.3
posthog-node 4.18.1|5.13.3|5.11.3
posthog-plugin-hello-world 1.0.1
posthog-react-native 4.11.1|4.12.5
posthog-react-native-session-replay 1.2.2
prime-one-table 0.0.19
prompt-eng 1.0.50
puny-req 1.0.3
quickswap-ads-list 1.0.33
quickswap-default-staking-list 1.0.11
quickswap-default-staking-list-address 1.0.55
quickswap-router-sdk 1.0.1
quickswap-sdk 3.0.44
quickswap-smart-order-router 1.0.1
quickswap-token-lists 1.0.3
quickswap-v2-sdk 2.0.1
ra-auth-firebase 1.0.3
ra-data-firebase 1.0.8|1.0.7
react-component-taggers 0.1.9
react-data-to-export 1.0.1
react-element-prompt-inspector 0.1.18
react-favic 1.0.2
react-hook-form-persist 3.0.1|3.0.2
react-hook-form-persist 3.0.2|3.0.1
react-jam-icons 1.0.1|1.0.2
react-jam-icons 1.0.2|1.0.1
react-keycloak-context 1.0.8|1.0.9
react-library-setup 0.0.6
react-linear-loader 1.0.2
react-micromodal.js 1.0.1|1.0.2
react-micromodal.js 1.0.2|1.0.1
react-native-datepicker-modal 1.3.1|1.3.2
react-native-email 2.1.1|2.1.2
react-native-fetch 2.0.1|2.0.2
react-native-get-pixel-dimensions 1.0.1|1.0.2
react-native-get-pixel-dimensions 1.0.2|1.0.1
react-native-google-maps-directions 2.1.2
react-native-jam-icons 1.0.1|1.0.2
react-native-jam-icons 1.0.2|1.0.1
react-native-log-level 1.2.1|1.2.2
react-native-log-level 1.2.2|1.2.1
react-native-modest-checkbox 3.3.1
react-native-modest-storage 2.1.1
react-native-phone-call 1.2.1|1.2.2
react-native-phone-call 1.2.2|1.2.1
react-native-retriable-fetch 2.0.1|2.0.2
react-native-use-modal 1.0.3
react-native-view-finder 1.2.1|1.2.2
react-native-view-finder 1.2.2|1.2.1
react-native-websocket 1.0.3|1.0.4
react-native-websocket 1.0.4|1.0.3
react-native-worklet-functions 3.3.3
react-packery-component 1.0.3
react-qr-image 1.1.1
react-scrambled-text 1.0.4
rediff 1.0.5
rediff-viewer 0.0.7
redux-router-kit 1.2.2|1.2.4|1.2.3
revenuecat 1.0.1
rollup-plugin-httpfile 0.2.1
sa-company-registration-number-regex 1.0.1|1.0.2
sa-company-registration-number-regex 1.0.2|1.0.1
sa-id-gen 1.0.4|1.0.5
samesame 1.0.3
scgs-capacitor-subscribe 1.0.11
scgsffcreator 1.0.5
schob 1.0.3
set-nested-prop 2.0.1|2.0.2
shelf-jwt-sessions 0.1.2
shell-exec 1.1.3|1.1.4
shell-exec 1.1.4|1.1.3
shinhan-limit-scrap 1.0.3
silgi 0.43.30
simplejsonform 1.0.1
skills-use 0.1.2|0.1.1
solomon-api-stories 1.0.2
solomon-v3-stories 1.15.6
solomon-v3-ui-wrapper 1.6.1
soneium-acs 1.0.1
sort-by-distance 2.0.1
south-african-id-info 1.0.2
stat-fns 1.0.1
stoor 2.3.2
sufetch 0.4.1
super-commit 1.0.1
svelte-autocomplete-select 1.1.1
svelte-toasty 1.1.2|1.1.3
svelte-toasty 1.1.3|1.1.2
tanstack-shadcn-table 1.1.5
tavily-module 1.0.1
tcsp 2.0.2
tcsp-draw-test 1.0.5
tcsp-test-vd 2.4.4
template-lib 1.1.3|1.1.4
template-lib 1.1.4|1.1.3
template-micro-service 1.0.2|1.0.3
template-micro-service 1.0.3|1.0.2
tenacious-fetch 2.3.2|2.3.3
tenacious-fetch 2.3.3|2.3.2
test-foundry-app 1.0.4|1.0.3|1.0.2|1.0.1
test-hardhat-app 1.0.4|1.0.3|1.0.2|1.0.1
test23112222-api 1.0.1
tiaan 1.0.2
tiptap-shadcn-vue 0.2.1
token.js-fork 0.7.32
toonfetch 0.3.2
trigo-react-app 4.1.2
ts-relay-cursor-paging 2.1.1
typeface-antonio-complete 1.0.5
typefence 1.2.2|1.2.3
typeorm-orbit 0.2.27
unadapter 0.1.3
undefsafe-typed 1.0.4
undefsafe-typed 1.0.4|1.0.3
unemail 0.3.1
uniswap-router-sdk 1.6.2
uniswap-smart-order-router 3.16.26
uniswap-test-sdk-core 4.0.8
unsearch 0.0.3
uplandui 0.5.4
upload-to-play-store 1.0.1|1.0.2
upload-to-play-store 1.0.2|1.0.1
url-encode-decode 1.0.1|1.0.2
url-encode-decode 1.0.2|1.0.1
use-unsaved-changes 1.0.9
v-plausible 1.2.1
valid-south-african-id 1.0.3
valuedex-sdk 3.0.5
vf-oss-template 1.0.4|1.0.3|1.0.2|1.0.1
victoria-wallet-constants 0.1.1
victoria-wallet-core 0.1.1
victoria-wallet-type 0.1.1
victoria-wallet-utils 0.1.1
victoria-wallet-validator 0.1.1
victoriaxoaquyet-wallet-core 0.2.1
vite-plugin-httpfile 0.2.1
vue-browserupdate-nuxt 1.0.5
wallet-evm 0.3.1
wallet-type 0.1.1
web-scraper-mcp 1.1.4
web-types-htmx 0.1.1
web-types-lit 0.1.1
webpack-loader-httpfile 0.2.1
wellness-expert-ng-gallery 5.1.1
wenk 1.0.9|1.0.10
zapier-async-storage 1.0.3|1.0.2|1.0.1
zapier-platform-cli 18.0.4|18.0.3|18.0.2
zapier-platform-core 18.0.4|18.0.3|18.0.2
zapier-platform-schema 18.0.4|18.0.3|18.0.2
zapier-scripts 7.8.3|7.8.4
zuper-cli 1.0.1
zuper-sdk 1.0.57
zuper-stream 2.0.9

More information from the world

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

Jaguar Land Rover Cyberattack: A Wake-Up Call for Supply Chain Resilience

viviandufour, , , , Leave a comment
3–4 minutes

The automotive giant’s recent cyber breach shows why continuous vulnerability assessment and open-source security are no longer optional.

Earlier this month, Jaguar Land Rover (JLR), the UK’s largest carmaker, was forced to shut down global IT systems after a cyberattack disrupted production across its factories. Plants in Solihull, Halewood, Wolverhampton, and Slovakia were halted. Operations in China, India, and Brazil also felt the ripple effect.

Thousands of employees and suppliers were sent home. Dealers and garages had to switch to manual operations during one of the busiest sales periods of the year: the September license plate registration window.

While no customer data breach has been confirmed, the attack reflects how deeply cybersecurity failures in the supply chain can damage both business operations and national economies. JLR contributes nearly 4% of the UK’s exports.

How the Jaguar Land Rover Attack Happened

The hacking coalition calling itself “Scattered Lapsus$ Hunters” claimed responsibility, posting internal screenshots as proof. Analysts link the group to earlier social engineering campaigns carried out by collectives like Scattered Spider, Lapsus$, and ShinyHunters.

This was not a sophisticated zero-day exploit. It was an attack on trust and resilience. By exploiting weaknesses in IT systems and operational processes, attackers triggered a shutdown that cascaded across JLR’s entire global network.

For an industry where every production hour counts, this was a direct hit to the supply chain.

Why Supply Chain Vulnerabilities Are a Critical Business Risk

The JLR case illustrates the stark reality:

  • Operational Technology (OT) systems are connected to IT systems. A breach in one disrupts the other.
  • Third-party risk is first-party risk. If suppliers or partners are compromised, your own resilience is at stake.
  • Downtime is as damaging as data loss. Even without stolen records, JLR faces millions in lost productivity and missed sales.
  • Open-source software is everywhere. Modern automotive systems depend on open-source libraries and components. Without continuous monitoring, hidden risks can remain undetected until it’s too late.

Where Vulnerability Assessment Makes the Difference

This incident is a powerful reminder of the need for continuous vulnerability assessment and software supply chain security. Key protective measures include:

  • Automated vulnerability scanning across all code, dependencies, and applications
  • SBOM (Software Bill of Materials) to ensure visibility into every open-source component used in critical systems
  • Continuous monitoring for newly disclosed CVEs that could disrupt supply chains
  • DevSecOps integration to ensure remediation is part of the development and deployment pipeline
  • Incident readiness through real-time alerts and automated remediation guidance

How Meterian Helps Build Resilience

Meterian’s platform is built to detect, monitor, and remediate open-source vulnerabilities before they cause widespread damage.

  • BOSS (Business Open Source Sentinel): Provides real-time alerts for newly disclosed vulnerabilities across your software supply chain.
  • Sentinel: Automates vulnerability assessment and integrates into your CI/CD workflows to block unsafe code before it reaches production.
  • SBOM generation and ingestion: Gives you complete visibility into the components your business depends on, simplifying compliance and response.
  • AI-powered continuous monitoring: Ensures you are always ahead of emerging threats—whether in PHP, Java, .NET, or any other stack critical to your business.

Had such systems been in place across JLR and its suppliers, the blast radius of this attack could have been contained, with faster detection and remediation.

Why Open-Source Security Matters

The JLR breach demonstrates a truth we see across industries: open-source security is business security.

When 80–90% of modern applications depend on open-source components, every unpatched library becomes a potential entry point. The cost of ignoring these risks isn’t theoretical. It’s operational paralysis, financial loss, and reputational damage.

Don’t Wait for the Next Breach

The JLR cyber attack is not an isolated incident. It is part of a wider trend of supply chain attacks targeting global industries. The question is not whether open-source vulnerabilities exist in your systems—they do. 

The question is: are you continuously monitoring and remediating them?

Now is the time to take control of your software supply chain.

👉 Learn how to strengthen resilience in our upcoming webinar:
“What’s Open Source Security Got to Do with Resilience of the Supply Chain?”
 📅 September 18, 2025 • 14:00 BST • 15:00 CET • 09:00 ET • 18:30 IST

Register here

Jaguar Land Rover Cyberattack: A Wake-Up Call for Supply Chain Resilience

Ivanti’s RCE Nightmare Started with a Library You Might Be Using Too

viviandufour, , , Leave a comment
2–3 minutes

In May 2025, cybersecurity headlines were dominated by Ivanti Endpoint Manager Mobile (EPMM) facing active exploitation through chained remote code execution (RCE) vulnerabilities—CVE‑2025‑4427 and CVE‑2025‑4428. 

These flaws enabled unauthenticated attackers to execute malicious code on affected systems, affecting enterprises globally. Ivanti’s vulnerabilities were notably tied to outdated open-source Java components, highlighting the critical importance of managing open-source security dependencies.

In this blog, we explore the Ivanti incidents, understand the role vulnerable Java libraries played, and demonstrate how proactive software composition analysis (SCA), continuous monitoring, and automated remediation through Meterian-X could have prevented or swiftly mitigated these attacks.

Ivanti’s Open Source Vulnerability: Java Libraries at Fault

The Ivanti vulnerabilities were rooted in the software’s reliance on outdated versions of Java libraries, specifically including “hibernate-validator.” These libraries were susceptible to chained exploits:

  • CVE‑2025‑4427: Allowed authentication bypass.
  • CVE‑2025‑4428: Enabled subsequent remote code execution (RCE).

These vulnerabilities underscore a significant risk: even trusted enterprise products can expose businesses if they incorporate insecure or outdated open-source components.

Understanding the Attack Surface

Ivanti’s attack scenario reveals common industry oversights:

  • Outdated dependency versions not promptly updated.
  • Inadequate visibility into the software bill of materials (SBOM).
  • Insufficient integration of security checks in the continuous integration and continuous delivery (CI/CD) pipeline.

Given the rise in nation-state actors targeting supply chains, companies must ensure software dependencies are continuously scrutinized.

Continuous Monitoring & Detection with Meterian Sentinel

Meterian Sentinel actively monitors dependencies, aggregating real-time vulnerability intelligence from authoritative sources, such as the National Vulnerability Database and GitHub Security Advisories. 

Sentinel would have identified Ivanti’s outdated “hibernate-validator” dependency, alerting development and security teams of the urgent update required.

BOSS: Immediate Alerting & Automated Remediation

Meterian’s BOSS system provides:

  • Real-time notifications of critical vulnerabilities.
  • Actionable, prioritized remediation steps directly within development workflows.

In Ivanti’s case, BOSS would have immediately alerted to the risky dependency version, detailing the vulnerability and auto-generating a recommended fix within the CI/CD process.

Proactive Prevention: CI/CD Integration Workflow with Meterian-X

Integrating Meterian-X into CI/CD pipelines ensures software vulnerabilities are detected and addressed at the earliest stage, automatically:

  • Scanning: Meterian-X conducts real-time vulnerability scanning, flagging outdated dependencies like “hibernate-validator.”
  • Alerting: Via BOSS, teams receive instant alerts embedded within their existing development tools.
  • Remediation: Meterian-X auto-suggests safe library versions, ensuring secure deployment without manual intervention.
  • Verification: Automatically generates comprehensive SBOM reports (in CycloneDX format), streamlining compliance and software traceability.

This integration transforms vulnerability management from reactive firefighting into proactive security.

The Critical Role of SBOM

The Ivanti incident emphasizes why SBOMs are critical:

  • Manufacturers and enterprises gain transparent, real-time views into their software components.
  • Teams rapidly identify vulnerabilities within third-party dependencies.
  • Regulatory compliance becomes streamlined (e.g., SOC 2, EU CRA, EU DORA).

Meterian-X’s CycloneDX-based SBOM generation and ingestion is integral to maintaining visibility, security, and compliance.

Strengthening Your Software Supply Chain

Ivanti’s vulnerability illustrates a fundamental truth: security must extend beyond internal code to encompass all open-source dependencies. Meterian empowers security leaders, developers, and compliance teams to proactively detect and auto-remediate risks like those affecting Ivanti.

Adopting Meterian’s comprehensive security integration ensures continuous monitoring. It provides a rapid response and reliable protection of your software supply chain. This safeguards your business from the increasing threat of supply-chain-based cyber attacks.

Ivanti’s RCE Nightmare Started with a Library You Might Be Using Too

The Java Clone Hack That Happened in 20 Minutes — Could It Happen to You?

viviandufour, , , , Leave a comment
2–3 minutes
A smartphone displaying icons for a 'Clone App' with error messages and a shield symbol, highlighting cybersecurity themes.

In May 2025, a clone of the secure messaging app Signal — known as TM SGNL by TeleMessage — was compromised in under 20 minutes. The breach wasn’t due to zero-day exploits or state-sponsored threat actors. Instead, it was a plain, preventable Java server misconfiguration that exposed plaintext credentials, archived messages, and encryption keys.

This incident is a stark reminder for security and development teams – modern applications, especially Java-based clone apps, are riddled with hidden vulnerabilities that standard controls often miss.

This is exactly the class of threats Meterian’s continuous monitoring and AI-powered vulnerability intelligence is built to catch early and fix fast.


The TM SGNL Hack: Anatomy of a Misconfiguration

At the heart of the breach was a forgotten and publicly accessible Spring Boot Actuator endpoint. The exposed heap dump included:

  • Admin usernames and passwords in plaintext
  • Encryption keys
  • Archived private messages

TM SGNL had promised end-to-end encryption. Yet archived content was stored insecurely, and passwords were hashed using client-side MD5 — a deprecated and insecure method. The application also ran on an outdated JSP stack, compounding the risk.

The breach showed how vulnerable legacy Java frameworks and poor server hygiene can create systemic risk, even in apps that claim security by design.


Where Continuous Scanning Could Have Helped

This type of vulnerability isn’t exotic. It’s configuration-level, but critically dangerous. Meterian’s platform continuously scans Java applications for:

  • Misconfigured Actuator endpoints
  • Insecure or outdated hashing algorithms (like MD5)
  • Use of legacy Java stacks with unpatched CVEs
  • Exposure of credentials in memory dumps or logs

By aggregating insights from over 15 trusted vulnerability feeds, including the National Vulnerability Database and GitHub Advisories, Meterian flags risks with both high fidelity and low noise.


BOSS & Sentinel: Detect, Alert, Remediate

Meterian’s Sentinel engine would have flagged the publicly exposed /heapdump endpoint immediately as a misconfiguration with known exploit patterns. Combined with BOSS, our automated alerting system, security engineers would receive:

  • A prioritized, actionable report
  • A breakdown of the exposed endpoint’s risk level
  • Suggested auto-remediation steps (e.g., disable public access, require auth tokens)

These insights are delivered directly into existing CI/CD pipelines or DevSecOps dashboards, accelerating mitigation.


Why Java Clone Apps Are Especially Vulnerable

Clone apps often inherit:

  • Outdated codebases
  • Legacy dependencies
  • Minimal refactoring

In many cases, these applications rebrand functionality but retain insecure implementations. TM SGNL reused insecure design patterns while branding itself as a secure communications tool. This mismatch is where attackers thrive.

Meterian’s dependency graph analysis would have:

  • Mapped all third-party Java libraries in use
  • Flagged outdated dependencies
  • Identified insecure hashing libraries

What This Means for Security Leaders

Security isn’t just about patching CVEs. It’s about maintaining visibility and control across all components — including infrastructure, third-party libraries, and code hygiene.

Meterian helps CISOs, developers, and risk managers:

  • Maintain an up-to-date SBOM (using CycloneDX)
  • Integrate continuous monitoring into CI/CD
  • Detect vulnerabilities before they become breaches
  • Proactively secure clone apps before release


Prevention Is Achievable

The TM SGNL breach should not have happened. With continuous scanning, real-time intelligence, and automation-first remediation, it could have been prevented.

Meterian empowers software teams to spot and fix vulnerabilities like these — not weeks after deployment, but during development.

In 2025, security isn’t just a feature. It’s a process. And with Meterian, that process is invisible, continuous, and resilient by design.

The Java Clone Hack That Happened in 20 Minutes — Could It Happen to You?

Open Source, Hidden Risk

viviandufour, , , Leave a comment

Part 1: What Business Leaders Must Learn from Recent Cyber Vulnerabilities

Author: Rod Cobain • 4 min read

Three business professionals reading a newspaper titled 'SOURCE: Hidden Risks Susceptible to Cyber Atokspern Attacks' in a modern office setting, discussing hidden risks susceptible to cyber attacks.
AI-generated image of business professionals

Open source software powers your business, it’s a fact whether you know it or not. From core infrastructure to everyday applications, open source code is embedded deep within the tools we trust. It’s a quiet enabler of innovation, agility, and scale.

But recent high-profile vulnerabilities, from Log4Shell to the XZ Utils backdoor, have exposed a hard truth; what’s free and open can also be fragile and risky. For business leaders, these incidents aren’t just technical hiccups. They’re a boardroom-level ticking time bomb. It’s time we stop treating open source security as an engineering detail and start addressing it as a strategic priority.

Many assume that popular open source projects are secure because they’re widely used. But visibility isn’t the same as scrutiny. The Log4Shell vulnerability sat undetected in a core Java logging library for nearly a decade until Dec 2021.  When discovered, it impacted millions of computers, everything from cloud platforms to consumer apps.  As a business leader, if your business relies on open source (and it does), you must invest in ongoing due diligence, not blind trust. Recent supply chain issues should prompt critical questions such as, “What’s in my software supply chain?” and “How’s it monitored?”.

Your Risk is Reflected by Your Dependencies

A single compromised component can ripple across countless systems.  Looking at the event-streamincident, a small JavaScript library was hijacked and weaponised to steal cryptocurrency.   As a business leader, demanding visibility into your organisation’s dependency map is a must, ignorance is no excuse, and cyber insurance providers are not covering such risks. Are you relying on unknown or unmaintained components in your software development production? If the answer is “yes or not sure”, you need to have your code assets scanned, and either automatically remediated or managed with a mitigation plan.  As a result of the widespread consequences these open source vulnerabilities can have, since the Log4Shell incident, insurance providers require customers to prove they’ve patched or risk losing their insurance cover benefits

Underfunded Projects Power Billion-Pound Businesses

The most alarming aspect of many open source vulnerabilities isn’t the flaw itself, but the lack of maintenance. The XZ backdoor came about partly because the project had only one active maintainer, such is the nature of open source community driven software.  Therefore consumers and enterprises using the open source library inherit the responsibility for the quality and security of the instance used in its own coding projects. Adopting a pro-active 24/7 solution that incorporates continuous monitoring, automated remediation, and AI-powered vulnerability detection, is essential for identifying and addressing issues swiftly.

Leadership takeaway: Small investment vs Large payout or loss of credibility is clear. 

Speed of Response Is a Competitive Advantage

Putting in place a pro-active approach when vulnerabilities emerge–detect, prioritise, and patch quickly– can prevent disruption and protect your reputation. Marks & Spencer, Co-op and others are still striving to regain normality in the weeks to come.  These unfortunate incidents of “world class companies” highlight how security response has become a key measure of business agility.  Are your teams empowered with the tools and authority to act swiftly when open source risks emerge?

The Future of Open Source Security

Open source is here to stay.  Its growth is undeniable and remains a cornerstone of technological innovation for good. But security can’t just be an engineering checkbox. It must be part of your organisation’s culture, led from the top. Encourage a mindset of proactive security and open collaboration. The best organisations view open source software not just as free software, but as shared infrastructure worth protecting.

Conclusion

Cyber vulnerabilities in open source is not  a reason to fear the model.  Instead, they’re a call to engage more responsibly with it. As leaders, we must stop viewing open source security as someone else’s problem. The reality is: if your business runs on open source, its security must be your priority. Your role may not be a technical one, but asking the right questions and knowing your options from the beginning will help you take a preventive stance to ensure you don’t end up as tomorrow’s headline.

Bold colours infographic showing risk and thought leadership in cyber attacks and open source vulnerabilities
Open Source, Hidden Risk

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

viviandufour, , , Leave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow.  We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level?  Check out our product page infographic to see how our database stacks up against the competition.

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?

bbossola, , , , , , , Leave a comment


Attacks through open source are growing year on year, so companies cannot rely only on periodic pen testing. The code needs to be scanned on a daily basis during the lifecycle of the application’s development stages, and continue to do so once an application is deployed.

Modern software development in fact heavily relies on open-source components: they accelerate development, reduce costs, and provide access to well-tested, community-maintained code. Understanding the composition of their software products is crucial for companies producing applications, as it helps manage and secure the significant portion of their codebase that originates from open-source projects.

Checking open-source components in software development is crucial for at least three reasons: let’s have a closer look and clarify the problems.

Security Risks

The code of open-source  components is always publicly available and it is a natural target for hackers. Each day, more than 50 new vulnerabilities are discovered in open-source components and, if not identified and managed, they can be exploited, leading to security breaches.

Countless examples are available:

All these hacks were performed using a vulnerability in an open-source component: nothing was wrong with the code written by the respective developers.

How common are vulnerabilities? See, in this sample, the growth of vulnerabilities in the .NET open-source ecosystem:

Please note that this is a restricted view that matches exclusively only vulnerabilities affecting opensource components specific to the .NET ecosystem. Across all ecosystems, more than 100,000 vulnerabilities affecting open-source components are recorded. 

The risks are real. If you want to learn more you can also read our blog here.

License compliance

Open-source components come with various licenses, each with specific requirements and restrictions. Failing to comply with these licenses can lead to legal issues, including copyright infringement claims.

Among all those, let’s not forget TruthSocial, the famous Twitter clone created by the Trump Media & Technology Group, was found to be in breach of an OSS license and had to disclose its source code publicly.

Also Tesla decided to release its code to the public to comply with a copyleft license. On another occasion.  Westinghouse Digital Electronics preferred bankruptcy

The risks are real. If you want to learn more you can also read our blog  here.

Quality and reliability

While open-source software can be of high quality, this varies significantly, and some components might be abandoned or poorly maintained. Using such components can pose risks to the project’s stability and reliability.

Here introducing you Swashbuckle, a popular .NET project that has been abandoned by his creator for a more interesting adventures and now lays unmaintained and without an owner. It was last updated 6 (six) years ago.


Let’s also have a look at Lazy, another popular NodeJS component that was last updated 11 (eleven) years ago. While it’s a small library with a limited attach surface, why would you like to have this in your application? Software does not age like fine wine, unfortunately. 

This is an example of two commonly used opensource components that have not been updated in years,  a very long time in software development. Those components are basically not maintained anymore: if a problem is found, it won’t be fixed. If a vulnerability is there, nobody will know about it (apart from the occasional hacker, of course)

How Meterian SCA helps solve the challenge

Meterian offers a comprehensive application security platform designed to enhance the security posture, compliance adherence, and overall quality of software projects. This platform provides in-depth analysis and automation capabilities, empowering organisations to effectively manage open-source and third-party libraries throughout their software development lifecycle. Through its robust features, Meterian enables organisations to identify and mitigate vulnerabilities, ensure compliance with relevant regulations and standards, and maintain a high level of software quality.

Meterian is unique compared to its competitors because of various characteristics, let’s explore them

Supports the largest number of ecosystems
If you are using a legacy technology like Perl, focus on data science using Jupyter Notebooks, build video games with Unity, or build ultra-fast micro-services with Rust, you deserve the best protection available. Meterian supports a wide range of languages and ecosystems, and if your platform is not there, we will be happy to support it for you. 

Easy to to deploy on premises or dedicated cloud
In the SaaS industry, the requirement for a dedicated single-tenant instance or an on-premises installation may be driven by specific business needs, such as tight security, data sovereignty, and geo-location considerations.  Meterian can easily provide a single-tenant environment, either on-cloud or on-prem, and offers also a range of air-gapped solutions for extreme secure environments.

Comprehensive vulnerability database
Meterian’s vulnerability database not only boasts a broader coverage than any of its competitors but is also updated daily through a fully automated system that integrates numerous OSINT sources and Meterian’s specially curated databases, including AI-generated advisories directly from the analysis of open-source repositories. This automated process outpaces manual entry methods, ensuring we maintain a competitive edge through faster and more efficient updates, a key differentiation in our service offering.

Superior customer support
Speed, quality of responses, customer obsession, won deals because of this. We have a unique culture where the concept of “support” does not really exist, as all engineers are constantly working with customers. We want to be obsessed with customers, solve their problems quickly and effectively. Every customer support query is directly handled by engineers and is given priority in our backlog. This approach guarantees that our product evolves in response to real-world feedback, while also maintaining the highest level of customer satisfaction.

What next?

Don’t just take our word for it – experience the benefits for yourself. We invite you to schedule a demo to see how our solution can make a difference in your organisation’s security posture. Our team of experts is ready to guide you through the features and show you how it can address your specific security challenges. Take the first step towards a more secure future – reach out today and discover how Meterian can elevate your cybersecurity strategy.


Looking forward hearing from you.

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?

NVD Update Delays: What’s Happening at the National Vulnerability Database?

bbossola, , , , , Leave a comment

Introduction

Since its inception in 2005, the National Vulnerability Database (NVD) has been a vital resource for security professionals, providing details about common vulnerabilities and exposures (CVEs) discovered by researchers worldwide. However, in recent months, the NVD has faced significant challenges, resulting in delays and incomplete data. In this blog post, we explore the current state of the NVD and its implications for enterprise security.

The Mysterious Freeze

In February, the NVD underwent an unexpected transformation. A cryptic announcement appeared on its website, stating that users would “temporarily see delays in [our] analysis efforts” while the National Institute of Standards and Technology (NIST) implemented improved tools and methods. Unfortunately, no further explanation accompanied this message. The freeze affected the timely documentation of CVEs, leaving security managers in a bind.

The CVE Model and Missing Details

The NVD relies on a network of 365 partners—both US-based and international—who contribute threat data. These partners include software vendors, bug bounty operators, and private research firms. Each participant adheres to a schema to ensure unique and accurate entries. However, since the beginning of the year, over 6,000 new CVEs have been posted, with nearly half lacking essential details in the NVD.

What’s Missing?

  • Metadata: The latest CVE entries lack critical metadata, such as information about affected software. Without this context, security managers struggle to assess the severity of vulnerabilities and prioritize patching efforts.
  • CVSS Scores: The Common Vulnerability Scoring System (CVSS) scores, which indicate vulnerability severity, are absent for many CVEs.
  • Product Information: Enterprises rely on NVD data to identify which applications and operating systems are at risk. Unfortunately, the missing details hinder this crucial aspect.

The status of things (April 2024)

In this recent update from the NVD team they discuss the importance of the National Vulnerability Database (NVD) and the challenges it faces. The NVD is a repository of information on software and hardware flaws that can compromise computer security. There is a growing backlog of vulnerabilities submitted to the NVD, and NIST is working to address this challenge. NIST is committed to its continued support and management of the NVD, but at this time it seems to be lagging behind.

How Meterian can help

Enter Meterian, a comprehensive application security solution that offers unique advantages over traditional databases. Meterian has an extremely robust security database that implements:

  1. Automated Daily Updates: Unlike the NVD, which has experienced recent delays, Meterian’s security database is updated at least every 4 hours. This automated process ensures that you receive the most current threat intelligence promptly.
  2. Diverse Data Sources: Meterian aggregates data from more than 15 unique sources, including both public and private feeds. These sources contribute to a comprehensive repository of vulnerability information, covering a wide range of software components. This is also enriched by Meterian AI and internally curated databases.
  3. Monitoring 350K Vulnerabilities: At present, Meterian actively monitors around 350,000 vulnerabilities across various ecosystems, from Perl to Rust. If you’re building applications and dealing with open-source libraries or frameworks, Meterian has you covered.

Conclusion

As the NVD grapples with its challenges, consider integrating Meterian into your security toolkit. Stay informed, stay proactive, and safeguard your digital assets effectively. Alternatively, you can simply start receiving timely notification through our alerting system: please check out our previous article that explains how to do just that!

References:

  1. NIST’s Vuln Database Downshifts, Prompting Questions About Its Future
  2. National Vulnerability Database (NVD) Update Delays
  3. The National Vulnerability Database Crisis: Defend Against Unpatched Vulnerabilities
  4. National Vulnerability Database: Opaque changes & unanswered questions
  5. NIST’s NVD has encountered a problem


NVD Update Delays: What’s Happening at the National Vulnerability Database?

Supply Chain Shock: Backdoor in liblzma Highlights Third-Party Package Risks

bbossola, , , , , , , , Leave a comment

The open-source software (OSS) ecosystem thrives on the principles of transparency and collaborative development. However, a recent critical vulnerability discovered in the core library, liblzma, has cast a shadow on this trust. The vulnerability, which was disguised as a bug fix, contained malicious code that could have potentially granted attackers access to users’ systems through SSH servers. This unsettling incident serves as a sobering reminder of the tangible risks inherent in relying on third-party software packages, even within the seemingly open and collaborative realm of OSS.

What happened?

liblzma, a critical library used for compression in many Linux distributions, was compromised by a backdoor hidden within its source code. This backdoor, attributed to a contributor named Jia T75, remained undetected for two years. During the build process, the backdoor would infect the system, specifically targeting x86_64 Linux systems. This vulnerability could have allowed attackers to compromise SSH servers, potentially granting them unauthorized access to a user’s system.

Why third-party packages are a risk

While OSS thrives on collaboration, it also introduces vulnerabilities. We rely on the good faith of developers contributing code. Malicious actors can exploit this trust by injecting backdoors or other harmful code into seemingly legitimate libraries like liblzma.

What can you Do?

To mitigate the risks associated with third-party software packages, it is imperative to stay vigilant and proactive. Patching software promptly by updating your system regularly ensures you have the latest security fixes in place. Furthermore, exercising caution when obtaining software updates and packages by exclusively utilizing official or trusted sources is of utmost importance. Thoroughly researching the maintainers of the software packages you rely upon can shed light on their track record of responsible updates and reputation within the community. Whenever feasible, exploring alternatives to widely used libraries can be a prudent strategy, as diversifying your software portfolio can reduce the potential impact of a single vulnerability. By adopting these measures, you can bolster the security posture of your systems and minimize the risks posed by third-party software dependencies.

How Meterian can help

The liblzma backdoor incident serves as a wake-up call, and it highlights the need for constant vigilance. By understanding the risks and taking preventative measures, we can build a more secure software ecosystem. Remember, security is an ongoing process, not a one-time fix .

Security solutions like Meterian can be powerful allies in mitigating the risks of third-party packages. Meterian’s notification system keeps you informed about the latest vulnerabilities impacting your software ecosystem, including critical flaws like the recently discovered liblzma backdoor. Through timely alerts and detailed reporting, Meterian ensures you stay on top of potential threats before they can be exploited]. Additionally, Meterian’s Software Composition Analysis (SCA) solution goes a step further by scanning your codebase for known vulnerabilities within dependencies like liblzma. By proactively identifying these risks, SCA allows you to take early action and prioritize patching vulnerable components, ultimately safeguarding your systems and data.

Don’t wait for the next major vulnerability to compromise your systems. Take control of your software security today. Try Meterian for free and experience the power of proactive vulnerability detection and management.

An important note!

The xz/liblzma packages are sometimes included in major Linux distributions, and much of the focus is now there, also because this vulnerability can be exploited to execute remote commands over SSH. However, please be aware that this vulnerability may affect also your application code, either because it may be linking directly liblzma in your C/C++ applications or because, via conan, you previously used the package xz_utils in one of the vulnerable versions (5.6.0, 5.6.1). Furthermore, other wrappers such as xz.ex (elixir), xz.net (dotnet), ruby-xz (ruby) and similar packages may indirectly pull the affected package.

Update – 15 April 2024

This is a novel situation, and there is still much uncertainty. We are aware of only a single known exploit path at this time, but there may be additional scenarios that have not yet been identified.

In detail, so far, it looks like the payload activates if the running program has the process name /usr/sbin/sshd, however, based on ongoing analysis, it may activate also in other scenarios too, unrelated to SSH. This matter is still investigated, you can keep an eye at this page to follow the active investigation.


References

  1. Backdoor in the xz source code: https://www.openwall.com/lists/oss-security/2024/03/29/4
  2. Backdoor in upstream xz/liblzma leading to SSH server compromise: https://news.ycombinator.com/item?id=39868673
  3. NVD reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
  4. A live analysis of the backdoor: https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
  5. Ongoing investigation: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Supply Chain Shock: Backdoor in liblzma Highlights Third-Party Package Risks

Precise and Timely Vulnerability Notifications with Meterian

bbossola, , , 2 Comments

Stop worrying about missing critical vulnerability alerts. As application security experts, we know the constant struggle to stay informed about the latest threats facing your open-source components. That’s why we’re excited to introduce Meterian’s vulnerability notification system, designed to provide timely, accurate, and actionable information so you can take immediate steps to protect your applications.

Unparalleled Insight into Open-Source Risks

Meterian boasts the largest OSINT vulnerability database on the market, meticulously tracking over 335,000 vulnerabilities daily across 20+ diverse sources. We go beyond mere quantity, offering almost 94,000 unique vulnerabilities spanning 16 programming languages, ensuring comprehensive coverage for your development stack. Every day,

Never Miss a Critical Update

Our system proactively identifies new open-source component vulnerabilities and critical updates, delivering comprehensive notifications straight to your inbox. Each notification contains all the essential details to address the issue effectively:

  • Precise component name and ecosystem
  • Affected version range
  • Detailed vulnerability description
  • CVE identifier (if available)
  • Associated CVSS and EPSS scores
  • List of unaffected versions
  • Links for further exploration

What’s a CVE?

A CVE is like the official scoreboard listing of a severe foul or broken piece of equipment (a security flaw) that the entire league (the tech world) agrees must be fixed. Meterian acts as your team’s Defensive Coordinator, constantly watching the game for any new fouls and sending a precise, instant notification only to the players (developers) who are currently using that faulty gear, telling them exactly how to swap it out for a legal one before the referee throws a flag (a breach).

We believe that staying informed about vulnerabilities requires a comprehensive view. That’s why our platform not only delivers daily updates but also offers a valuable 30-day history, for free. This historical perspective allows you to track the evolution of vulnerabilities: whether you’re a seasoned developer or an individual user, understanding the trends over the past month can empower you to make informed decisions and take proactive security measures. Visit our Meterian Vulnerabilities pages to explore this rich history and stay ahead of the curve.

Tailored Alerts for Subscribed Users

We understand that information overload can be counterproductive. That’s why we offer two distinct notification systems for subscribed users:

  • Sentinel that continuously monitors previously scanned projects
  • Allerta that provides alerts based on a user specific preferences

Sentinel Notification System: Continuous Security Monitoring

Our Sentinel Notification System is your ticket to continuous security monitoring. It offers timely alerts to development teams, even without active scans. Once a project is under Meterian’s purview, Sentinel automatically and routinely examines it for new vulnerabilities. This seamless process ensures ongoing security screening, eliminating the need for user intervention. With Sentinel, you can rest assured that your projects remain protected around the clock.

Allerta Notification System: Tailored Security Alerts

The Allerta Notification System is designed with flexibility in mind. It allows users to tailor security alerts based on their preferences. You can define your interests, specifying preferred ecosystems, and scoring thresholds, ensuring that you receive notifications that align with your specific needs. Whether you’re a developer focusing on a particular programming language or a security professional seeking a broader view, Allerta provides precise information tailored to your requirements. With Allerta, you gain the ability to customize your security alerts while staying well-informed about the vulnerabilities that matter most to you.

Empowering Developers and Security Teams

Developers can focus on specific languages, while security personnel maintain a global view. All notifications provide granular details, including the affected component and version, so everyone has the context needed to make informed decisions. Don’t wait for a breach to expose your vulnerabilities. Meterian’s notification system empowers you to take control of your application security.

Sign up for a free trial today and experience the power of proactive application security. See for yourself how Meterian can keep you ahead of the curve and your applications safe. And remember, you can always consult the daily vulnerability report online, completely free: no subscriptions needed.

Take action now and protect your applications from the ever-evolving threat landscape!

Precise and Timely Vulnerability Notifications with Meterian