Announcing Legit Root Cause Remediation! Click here to read more -->

Blog Contact Us Sign In
Platform
Platform - ASPM Icon
Application Security Posture Management (ASPM)
Platform - Secrets Detection & Prevention
Secrets Detection & Prevention
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers

Blogs about Threats

    Content Type
    View All AppSec Best Practices CISO Compliance DevOps Explainers Legit Partners SCMs Threats
    Get details on this recent vulnerability, how to respond, and how Legit can help. 
    AppSec Legit Threats

    Next.js Vulnerability: What You Need to Know

    March 24, 2025

    Get details on this recent vulnerability, how to respond, and how Legit can help. 

    Read More
    Get details on this recent supply chain attack and how to avoid similar attacks.
    AppSec Legit Threats

    Github Actions tj-actions/changed-files Attack

    March 18, 2025

    Get details on this recent supply chain attack and how to avoid similar attacks.

    Read More
    Get details on the most common toxic combinations Legit unearthed in enterprises' software factories.
    Explainers AppSec Legit Threats

    The 2025 State of Application Risk Report: Understanding Toxic Combinations in Application Security

    February 27, 2025

    Get details on the most common toxic combinations Legit unearthed in enterprises' software factories.

    Read More
    Explore the best cloud security posture management (CSPM) tools to spot misconfigurations, enhance cloud security, and comply with different frameworks.
    DevOps Explainers Best Practices Legit Threats SCMs Compliance

    7 CSPM Tools to Secure Your Cloud Infrastructure

    February 25, 2025

    Explore the best cloud security posture management (CSPM) tools to spot misconfigurations, enhance cloud security, and comply with different frameworks.

    Read More
    Get details on this recent supply chain attack and how to avoid falling victim to similar attacks.
    AppSec Legit Threats

    The Ultralytics Supply Chain Attack: How It Happened, How to Prevent

    February 19, 2025

    Get details on this recent supply chain attack and how to avoid falling victim to similar attacks.

    Read More
    Get details on Legit's new capabilities that allow teams to quickly fix what matters most.
    CISO DevOps Best Practices AppSec Legit Threats

    Announcing Legit Root Cause Remediation

    January 30, 2025

    Get details on Legit's new capabilities that allow teams to quickly fix what matters most.

    Read More
    Use the data and analysis in this report to prioritize your 2025 AppSec efforts.
    CISO DevOps Best Practices AppSec Legit Threats

    Announcing the 2025 State of Application Risk Report

    January 22, 2025

    Use the data and analysis in this report to prioritize your 2025 AppSec efforts.

    Read More
    Legit Security | How to Mitigate the Risk of GitHub Actions. Get highlights of our research into the security of GitHub Actions, and our advice on mitigating the risk.
    CISO Best Practices AppSec Threats

    How to Mitigate the Risk of GitHub Actions

    September 09, 2024

    How to Mitigate the Risk of GitHub Actions. Get highlights of our research into the security of GitHub Actions, and our advice on mitigating the risk.

    Read More
    Legit Security | The Risks Lurking in Publicly Exposed GenAI Development Services. Get our research team's analysis of the security of GenAI development services.
    Best Practices AppSec Threats

    The Risks Lurking in Publicly Exposed GenAI Development Services

    August 28, 2024

    The Risks Lurking in Publicly Exposed GenAI Development Services. Get our research team's analysis of the security of GenAI development services.

    Read More
    Legit Security | ESG Survey Report Finds AI, Secrets, and Misconfigurations Plague AppSec Teams. Find out how your peers are managing application security challenges. 
    CISO Best Practices AppSec Threats

    ESG Survey Report Finds AI, Secrets, and Misconfigurations Plague AppSec Teams

    August 16, 2024

    ESG Survey Report Finds AI, Secrets, and Misconfigurations Plague AppSec Teams. Find out how your peers are managing application security challenges. 

    Read More
    Legit Security | Security Challenges Introduced by Modern Software Development. Understand how modern software development is changing security threats.
    Best Practices AppSec Threats

    Security Challenges Introduced by Modern Software Development

    June 13, 2024

    Security Challenges Introduced by Modern Software Development. Understand how modern software development is changing security threats.

    Read More
    Legit Security | Don't Protect Your Software Supply Chain, Defend the Entire Software Factory. Find out why a too-narrow definition of
    Best Practices AppSec Threats

    Don’t Protect Your Software Supply Chain, Defend the Entire Software Factory

    June 05, 2024

    Don't Protect Your Software Supply Chain, Defend the Entire Software Factory. Find out why a too-narrow definition of "supply chain" may be hindering software security efforts.

    Read More
    Legit Security | Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development. Understand why securing build systems is as important as securing production systems.
    Best Practices AppSec Threats

    Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development

    May 21, 2024

    Securing the Gateway: Why Protecting Build Systems Is Crucial in Modern Software Development. Understand why securing build systems is as important as securing production systems.

    Read More
    Legit Security | New Survey Finds a Paradox of Confidence in Software Supply Chain Security. Get results of and analysis on ESG's new survey on supply chain security.
    Best Practices AppSec Threats

    New Survey Finds a Paradox of Confidence in Software Supply Chain Security

    May 17, 2024

    New Survey Finds a Paradox of Confidence in Software Supply Chain Security. Get results of and analysis on ESG's new survey on supply chain security.

    Read More
    Legit Security | Verizon 2024 DBIR Key Takeaways. Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.
    Best Practices AppSec Threats

    Verizon 2024 DBIR: Key Takeaways

    May 13, 2024

    Verizon 2024 DBIR Key Takeaways. Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.

    Read More
    Legit Security | Dependency Confusion Vulnerability Found in an Archived Apache Project. Get details on the Legit research team's discovery of a dependency confusion vulnerability in an archived Apache project.
    Explainers Best Practices AppSec Threats

    Dependency Confusion Vulnerability Found in an Archived Apache Project 

    April 22, 2024

    Dependency Confusion Vulnerability Found in an Archived Apache Project. Get details on the Legit research team's discovery of a dependency confusion vulnerability in an archived Apache project.

    Read More
    Legit Security | Securing the Software Supply Chain: Risk Management Tips. Securing the software supply chain can seem daunting, but with the right strategy, you can optimize your software supply chain risk management practices.
    Explainers Best Practices AppSec Legit Threats

    Securing the Software Supply Chain: Risk Management Tips

    April 01, 2024

    Securing the Software Supply Chain: Risk Management Tips. Securing the software supply chain can seem daunting, but with the right strategy, you can optimize your software supply chain risk management practices.

    Read More
    Legit Security | What You Need to Know About the XZ Utils Backdoor.
    AppSec Legit Threats

    What You Need to Know About the XZ Utils Backdoor

    March 30, 2024

    What You Need to Know About the XZ Utils Backdoor.

    Read More
    Legit Security | How to Get the Most From Your Secrets Scanning. Secret scanning is essential for unlocking next-level software supply chain security. Get tips & best practices for optimal secret scanning to secure your code.
    Best Practices AppSec Legit Threats

    How to Get the Most From Your Secrets Scanning

    March 25, 2024

    How to Get the Most From Your Secrets Scanning. Secret scanning is essential for unlocking next-level software supply chain security. Get tips & best practices for optimal secret scanning to secure your code.

    Read More
    Legit Security | Microsoft Under Attack by Russian Cyberattackers. Understand how these attackers are operating and what their tactics mean for security strategies.
    Best Practices AppSec Legit Threats

    Microsoft Under Attack by Russian Cyberattackers

    March 15, 2024

    Microsoft Under Attack by Russian Cyberattackers. Understand how these attackers are operating and what their tactics mean for security strategies.

    Read More
    The Legit Security research team has found and reported a zero-click attack that allowed attackers to submit malicious code and access secrets.
    AppSec Legit Threats SCMs

    Azure Devops Zero-Click CI/CD Vulnerability

    January 31, 2024

    The Legit Security research team has found and reported a zero-click attack that allowed attackers to submit malicious code and access secrets.

    Read More
    Legit Security | In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.
    AppSec Threats

    SLSA Provenance Blog Series, Part 4: Implementation Challenges for SLSA Provenance for Enterprises

    January 24, 2024

    In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.

    Read More
    Learn how vulnerable self-hosted runners can lead to severe software supply chain attacks.
    DevOps AppSec Threats

    GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks

    January 18, 2024

    Learn how vulnerable self-hosted runners can lead to severe software supply chain attacks.

    Read More
    Legit Security | In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.
    AppSec Threats

    SLSA Provenance Blog Series, Part 3: The Challenges of Adopting SLSA Provenance

    December 28, 2023

    In this blog series, we uncover the challenges of adopting SLSA provenance and discuss methods for overcoming those challenges.

    Read More
    Legit Security | Uncovering 'AIJacking': How Attackers Exploit Hugging Face for AI Supply Chain Attacks - A Deep Dive into Vulnerabilities and Risks.
    Legit Threats

    Legit Discovers "AI Jacking" Vulnerability in Popular Hugging Face AI Platform

    October 24, 2023

    Uncovering 'AIJacking': How Attackers Exploit Hugging Face for AI Supply Chain Attacks - A Deep Dive into Vulnerabilities and Risks.

    Read More
    Explore the security risks of generative AI, including code opacity and embedding concerns, in the evolving landscape of AI and LLMs.
    Threats

    Top Risks of Ignoring AI Code in Your Organization & LLM Embedding

    October 10, 2023

    Explore the security risks of generative AI, including code opacity and embedding concerns, in the evolving landscape of AI and LLMs.

    Read More
    Legit Security | Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.
    Best Practices AppSec Threats

    Emerging Risks with Embedded LLM in Applications

    August 02, 2023

    Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.

    Read More
    Legit Security | This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.
    Legit Threats

    How We Found Another GitHub Actions Environment Injection Vulnerability in a Google Project

    July 03, 2023

    This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.

    Read More
    Legit Security | On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.
    Explainers AppSec Threats

    Supply Chain Attacks Overflow: PyPI Suspended New Registrations

    May 22, 2023

    On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

    Read More
    Discover the SLSA framework, designed to ensure the integrity of software artifacts and enhance overall software supply chain security.
    AppSec Threats

    Deep Dive Into SLSA Provenance and Software Attestation

    May 10, 2023

    Discover the SLSA framework, designed to ensure the integrity of software artifacts and enhance overall software supply chain security.

    Read More
    Legit Security | In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.
    AppSec Threats

    SLSA Provenance Blog Series, Part 1: What Is Software Attestation

    May 09, 2023

    In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.

    Read More
    Explore the risks of secret exposure through leaked source code & why traditional scanners may not fully protect against it. Learn effective security strategies for secrets in the SDLC.
    AppSec Threats

    5 Ways Attackers Exploit Hardcoded Secrets & How to Prevent

    April 25, 2023

    Explore the risks of secret exposure through leaked source code & why traditional scanners may not fully protect against it. Learn effective security strategies for secrets in the SDLC.

    Read More
    Legit Security | Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.
    Best Practices Threats

    The Business Risks and Costs of Source Code Leaks and Prevention Tips

    April 24, 2023

    Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.

    Read More
    Legit Security | 3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.
    Explainers AppSec Threats

    Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users

    March 31, 2023

    3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.

    Read More
    Legit Security | Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.
    Threats

    Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack

    March 30, 2023

    Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.

    Read More
    Discover top cloud security threats and learn effective techniques to keep your cloud applications secure year-round.
    Explainers Best Practices Threats

    Top 8 Cloud Application Security Challenges and Issues

    March 14, 2023

    Discover top cloud security threats and learn effective techniques to keep your cloud applications secure year-round.

    Read More
    Legit Security | Our team investigated how sensitive information can get exposed via SDLC tools that may be used as part of your development pipeline.
    Best Practices Legit Threats

    Exposing Secrets Via SDLC Tools: The Artifactory Case

    February 28, 2023

    Our team investigated how sensitive information can get exposed via SDLC tools that may be used as part of your development pipeline.

    Read More
    Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.
    Threats

    Exposing Secrets Via SDLC Tools: The SonarQube Case

    January 19, 2023

    We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.

    Read More
    Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.
    Legit Threats

    The MarkdownTime Vulnerability: How to Avoid DoS Attack on Business

    January 18, 2023

    Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.

    Read More
    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.
    Best Practices Legit Threats

    How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

    January 04, 2023

    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.

    Read More
    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.
    Threats SCMs

    Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

    December 01, 2022

    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

    Read More
    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.
    Threats

    Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

    October 31, 2022

    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.

    Read More
    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.
    Threats

    Toyota Customer Data Leaked Due To Software Supply Chain Attack

    October 12, 2022

    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.

    Read More
    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.
    Threats

    Software Supply Chain Attack Leads to Trojanized Comm100 Installer

    October 03, 2022

    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.

    Read More
    Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.
    Best Practices Threats

    Software Artifacts Best Practices to Prevent Getting Hacked

    September 19, 2022

    Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.

    Read More
    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.
    Threats

    New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

    September 15, 2022

    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.

    Read More
    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.
    Threats SCMs

    Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

    September 08, 2022

    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.
    Legit Threats SCMs

    Google & Apache Found Vulnerable to GitHub Environment Injection

    September 01, 2022

    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

    Read More
    LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.
    Best Practices Threats

    How Was LastPass Compromised?? Software Supply Chain Attack Tips

    August 29, 2022

    LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.

    Read More
    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.
    Threats SCMs

    Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

    August 03, 2022

    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

    Read More
    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

    May 02, 2022

    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

    Read More
    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.
    Explainers Threats SCMs

    Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

    April 18, 2022

    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

    Read More
    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.
    Threats SCMs

    A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

    April 06, 2022

    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

    April 04, 2022

    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.

    Read More
    What are secrets in source code, why they must be protected, and how to keep them safe.
    Explainers Threats SCMs

    Detecting Secrets in Your Source Code

    March 11, 2022

    What are secrets in source code, why they must be protected, and how to keep them safe.

    Read More

    Request a Demo

    Request a demo including the option to analyze your own software supply chain.

    Request a Demo