Oliver Kopitz

Semgrep named Cool Vendor by Gartner #Semgrep #SAST #SCA #Secrets #SemgrepProEngine #form" target="_blank" rel="nofollow noopener">semgrep.dev/products/cool-…

@BiltRewards got this interest charge but I have paid all my bills on time - how can I get this removed?

The Mini Shai-Hulud campaign has reached Packagist. intercom/intercom-php@5.0.2 was compromised with the same payload seen in today's npm and PyPI attacks. Because Packagist mirrors tags from upstream Git repositories, and Git tags can be force-updated to point to a different commit, meaning the attacker overwrote the existing version. And on top that rather than an npm-style preinstall hook, the PHP artifact registers itself as a Composer plugin and subscribes to post-install-cmd and post-update-cmd events (and then downloads the same Bun payload).

The TeamPCP supply chain campaign that began with Trivy in March has now reached Checkmarx's Docker images, VS Code extensions, and Bitwarden CLI.  Attackers Are Still Coming for Security Companies. Here's Where We Stand. Our latest post explains what happened, what we do ourselves, and what you should do to protect yourself. semgrep.dev/blog/2026/atta…

Excited to see that the @Replit Security Agent, powered by Semgrep, is now available. Replit's Security Agent is a great example of what's possible when you pair the contextual reasoning of LLMs with the determinism and program analysis capabilities of Semgrep. We're excited to see this combination in the hands of the builder community.

Semgrep chosen to be part of OpenAI’s Trusted Access for Cyber Program semgrep.dev/blog/2026/semg…

Did he try Semgrep ever ? 🤣

The TeamPCP vulnerability being discussed today uncovered a security bug in the telnyx pthon package. Client libraries like these are used to speed up adoption, but should undergo the same security workflows as regular production code would. semgrep.dev/blog/2026/clie…

Today, we are introducing Semgrep Multimodal. We’ve combined rule-based analysis that is fast and consistent at identifying OWASP Top 10 issues like SQLi and XSS with AI reasoning to catch business logic flaws like IDOR, Broken Auth, and more. What our early customer trials observed: - 8x more true positives - 50% fewer false positives Semgrep Multimodal is available on Semgrep accounts to try for yourself. Let us know what you find. semgrep.dev/blog/2026/atta…

We currently have +30 open positions across the company. If you’re passionate about building a more secure future for software, we’d love to meet you. Here are a few of our current openings across different teams: - Product: Senior Product Designer - Engineering: Software Engineer, Infrastructure - Marketing: Staff Security Advocate - Sales: Account Manager - People: People Experience Specialist - Finance: Payroll Specialist/Analyst Explore all our open roles👉 semgrep.dev/about/careers/ #Hiring #AppSec #EngineeringJobs #TechCareers

The Node.js sandbox library vm2 has disclosed a critical vulnerability that allows attackers to escape the sandbox and execute arbitrary code. The exploit is public, the CVSS score is 9.8, and any use of vm2 v3.10.1 or earlier should be considered affected. Immediate upgrade is recommended.Learn more in our blog post from @InsiderPhD and Kurt Boberg. semgrep.dev/blog/2026/call…

Last chance to join us! ⏰ Tomorrow at 9:00 AM PT, grab your coffee and tune in for a live, no-slides, no-scripts conversation on the ideas shaping (and shaking up) cybersecurity in 2026. @InsiderPhD (@semgrep) and @AubreyKingF5 (@F5) will go head-to-head on the industry’s biggest hot takes, from whether AI is actually helping security teams to why developers might not care about security (and why that matters). 🔗 Register here: semgrep.dev/events/unfilte… #AppSec #Cybersecurity #InfoSec #AI #Events

With all eyes on Sha1-Hulud, it’s easy to forget that this is merely the latest in a series of attacks that suggest a new normal where malicious dependencies can wreak havoc on organizations. That’s why Malicious Dependency Detection is now generally available for Semgrep Supply Chain. Teams can configure policies to automatically block known-bad packages at merge time, preventing backdoors, cryptominers, and trojans from infiltrating production. ✅ 80,000+ confirmed malicious packages covered ✅ Continuously updated intel + same-day incident response ✅ Policy automation with API + Jira integrations 🔗 Read the full blog post for more details: semgrep.dev/blog/2025/bloc… #AppSec #InfoSec #SupplyChain #AI #Cybsersecurity

The Semgrep team has officially landed in Las Vegas for AWS re:Invent! ✈️🎉 We’ll be at Booth #486 all week. Come meet the team, grab some great swag, and see how Semgrep helps engineering and security teams ship faster and stay secure with low-noise results and AI-powered guidance across SAST, SCA, and Secrets. See you on the expo floor! 🙌 #AWSreinvent #Semgrep #AppSec #DevSecOps #Cybersecurity

🇧🇪OWASP Benelux Days – see you tomorrow! 🇧🇪 We’re excited to touch down in Mechelen, Belgium soon – for a day of AppSec talks, followed by our ‘Brews & Bytes’ evening event afterwards… Say hello to our team at their booth, to chat about how you can achieve zero false-positive AppSec – plus win a Mario Kart Lego set too 🏎️ We’ll then head to Het Anker Brewery to experience the best in Belgian beers and cuisine 🍺 (Non-alcoholic options available). Final spaces: semgrep.dev/events/owasp-b… Hope to see you there! #AppSec #InfoSec #Cybersecurity

A new variant of the Shai-Hulud worm is now impacting 500+ npm packages, introducing not only large-scale secret exfiltration but a persistent GitHub Actions backdoor capable of executing code on self-hosted runners. This second wave shows a clear pattern: ➡️ Attackers are shifting from “one-and-done” compromises to long-term persistence and lateral movement. ➡️ Supply-chain attacks are increasingly targeting the developer experience itself: installation scripts, GitHub tokens, and npm workflows. ➡️ Secret leakage remains one of the highest-impact failure points in modern engineering orgs. Our latest deep dive breaks down: ✔️ How the new worm spreads and hides ✔️ How the persistence mechanism works ✔️ What’s changed from the first Shai-Hulud wave ✔️ Concrete steps teams should take today to assess exposure 👉 Read the full analysis: semgrep.dev/blog/2025/digg… #AppSec #Cybersecurity #InfoSec

The Semgrep team is heading to Las Vegas! ✈️✨ We’ll be at AWS re:Invent from December 1st - 4th, and we can’t wait to meet you there. Stop by Booth #486 to meet the team, grab some great swag, and see how Semgrep helps engineering and security teams ship faster and stay secure with low-noise results and AI-powered guidance across SAST, SCA, and Secrets. We can’t wait to see you there! 🙌 #AWSreinvent #Semgrep #AppSec #DevSecOps #Cybersecurity

🚀 New Whitepaper: How @squarespace Scaled AppSec with Semgrep We’re excited to share a deeper look at how Squarespace strengthened its developer-first security program and scaled AppSec across thousands of repositories while maintaining the engineering velocity their teams rely on. 🗞️ Download the whitepaper: semgrep.dev/resources/scal… This whitepaper serves as a blueprint for teams looking to bring real, actionable security signal directly into developer workflows. Inside the whitepaper: • 80% of repositories onboarded in the first month • A monitor → comment → block rollout that built developer trust • Reachability insights that focused effort on real, reachable issues • How Managed Scanning (SMS) helped scale visibility across thousands of repos If you’re building or evolving a developer-first AppSec program, this is an excellent blueprint worth exploring. #AppSec #DevSecOps #ApplicationSecurity #DeveloperFirst #SoftwareSecurity #CodeSecurity #SecureDevelopment #Semgrep

We’ve got a packed lineup of webinars coming up, and you won’t want to miss them! 🔥 📅 November 19 Get a live look at our biggest autumn updates from the experts themselves — plus roadmap sneak peeks, Q&A, and a chance to win a R2-D2™ LEGO® Star Wars™ set! 🎟️ Register here: semgrep.dev/events/semgrep… 📅 November 20 See how real teams are streamlining AppSec triage and cutting down false positives with AI-driven insights. Bonus: attendees will receive a Semgrep swag item of their choice! 🎟️ Register here: semgrep.dev/events/real-wo… 📅 November 26 Join @AubreyKingF5 and @InsiderPhD as they go head-to-head on some of cybersecurity's hottest takes — from “Is AI actually helping security teams?” to “Are devs justified in not caring about security?” 🎟️ Register here: semgrep.dev/events/unfilte… We hope to see you there! 🚀 #AppSec #cybersecurity #InfoSec #AI #Webinars

🗓️ On Nov 26 at 9AM PT, join @InsiderPhD, Staff Security Advocate (@semgrep) and @AubreyKingF5, Community Evangelist (@F5) for a live conversation about some of the most controversial ideas shaping our industry. No slides. No scripts. Just two security pros debating questions like: Is AI really helping security teams? Are developers justified in tuning out security? Expect strong opinions, candid discussion, and a good dose of humour as they unpack what’s hype, what’s helpful, and what’s just hot air. 🔗 Register here: semgrep.dev/events/unfilte… #AppSec #InfoSec #Cybersecurity #AI

🚀 AI-powered detection is coming to Semgrep. We’re launching Semgrep AI-powered detection — a first-of-its-kind hybrid of deterministic scanning and AI that finds vulnerabilities like IDORs and business logic flaws that other tools miss. Our Private Beta opens today, and spots are limited. 👉 Read the press release, then join the waitlist to be among the first to try it (free during beta): 🔗 prnewswire.com/news-releases/… Be part of the next era in code security — powered by Semgrep + AI. #AppSec #AI #SoftwareSecurity #Semgrep #ApplicationSecurity #DevSecOps #LLM #SAST