Composition Analysis stories

Sonatype flags 21,764 malicious open-source packages in Q1 2026, with npm hit hardest as attackers used trusted workflows to steal secrets.

Open source malware advisories jumped in 2025 as Endor Labs warned that firms are under-prepared and budgets lag the threat.

AppOmni upgrades Heisenberg to help teams trace GitHub Actions and spot tainted dependencies after the LiteLLM supply chain breach.

NetRise unveils Provenance, a tool to trace open source maintainers and stop risky dependencies before they spread through software.

Sonatype says smaller AI tied to live software data can outsecure larger models on dependency upgrades, slashing risk and cost.

Cloudsmith adds automated controls to quarantine and block risky dependencies, tightening enforcement on software supply chain security.

Veracode unveils an AI-driven tool that automatically fixes open-source vulnerabilities, tackling mounting security debt in software supply chains.

Keysight debuts SBOM Manager to automate software bills of materials as EU and US cyber rules tighten transparency and compliance demands.

Harness has launched AI Security and Secure AI Coding tools to spot and block vulnerabilities in AI-powered apps and AI-generated code.

ActiveState launches Curated Catalog, a private, pre-vetted open source repository to tighten software supply chain security for enterprises.

Manifest unveils SBOM generator for unmanaged C and C++ code, tackling critical supply chain blind spots in embedded and safety systems.

ActiveState appoints seasoned open source leader Abby Kearns as Chief Executive, sharpening its focus on managed open source security.

Secure.com warns most apps hide critical flaws in open source components, as unpatched dependencies and licence risks leave firms exposed.

Endor Labs unveils AURI, a security intelligence platform embedding reachability-led checks into AI coding assistants and CI/CD pipelines.

Manifest research reveals executives overestimate AI security readiness, as AppSec teams warn of unmanaged tools, blind spots and rising risk.

Security debt hits 82% of organisations as legacy flaws linger over a year, with third-party code driving most critical vulnerabilities.

Rapid AI and cloud adoption is fuelling a new wave of cyber risk, as Tenable warns of exposed software supply chains and “ghost” identities.

ActiveState launches a 79m-component secure open source catalogue to centralise software supply chains and cut enterprise vulnerability risk.

Endor Labs acquires Autonomous Plane to add reachability-led container image analysis, promising fewer false positives for security teams.

Armis launches AI-native Centrix platform to secure application code, aiming to cut false alarms and safeguard AI-assisted development.