SURIQSupply-chain attacks
Compromised packages, poisoned updates, and vendor integrations turned hostile across the software and SaaS supply chain.
The app you're testing can hijack the AI agent testing it: Appium MCP's XSS flaw
An XSS flaw in Appium's official MCP server let a hostile test app hijack the AI agent driving it and call its tools. Patch appium-mcp to 1.85.10 now.
Mastra's npm packages passed inspection, then turned hostile a day later
Attackers hijacked a dormant maintainer account to poison 140+ Mastra npm packages with a wallet-stealing payload. Here is who is exposed and what to rotate
Your Salesforce wasn't breached. A connected app handed over the data.
The Icarus group stole Salesforce CRM data through Klue's connected app, not a Salesforce flaw. Why OAuth integration tokens are the unmonitored attack surface.
JetBrains Plugins Are Stealing AI API Keys, and You Find Out From the Bill
Aikido found 15 JetBrains Marketplace plugins stealing AI API keys across 70,000 installs. Why a stolen metered key shows up as a bill, not an alert, and what
Awesome Motive's WordPress CDN backdoor only fired for logged-in admins. Your scanner missed it.
OptinMonster, TrustPulse and PushEngage served a backdoor that ran only for logged-in WordPress admins, evading visitor scanners. How to scope and hunt it.
Ready to meet the Guardians?
Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.