Corgea (YC S23)

📷Corgea (YC S23)@CorgeaInc 🎉 We’re thrilled to publicly launch, Corgea, a platform that automatically secures your vulnerable source code. You can read the full announcement here and signup for free: corgea.com/blog/introduci… 🧵👇

💻 How to Secure Developer Machines Against Supply Chain Attacks Developer machines are now one of the most attractive targets in software supply chain security. We put a practical software supply chain security checklist for developer machines corgea.com/learn/how-to-s…

CVE-2026-48172: exploited LiteSpeed cPanel plugin bug lets any tenant reach root Joomla 5.4.6 and 6.1.1 patch com_users privilege-escalation paths Snipe-IT 8.4.1 closes API admin escalation, component-note XSS, and open redirect flaws corgea.com/research

npm adding 2FA-gated publishing and install controls is a good step. The important shift: package registries are becoming part of the security boundary. Supply chain attacks are not just about vulnerable dependencies anymore. They’re about compromised maintainer accounts, poisoned releases, malicious install sources, and abused CI/CD workflows. thehackernews.com/2026/05/npm-ad…

📰 Corgea's weekly briefing for 19-26 May 2026 covers: - GitHub internal repository breach tied to the Nx Console compromise - TrapDoor's multi-registry package malware campaign - Exploited Drupal and Langflow KEV vulnerabilities and more corgea.com/research/weekl…

🏮 Hot off the press: 3 new vulnerability research articles that everyone should read: - art-template npm compromise delivered a Coruna-like iOS exploit kit (Critical 🔴) - CVE-2025-34291: Langflow CORS and refresh-token chain reaches RCE (Critical 🔴) - CVE-2026-46333: Linux ptrace race leaks privileged file descriptors (High 🟠 ) corgea.com/research

Here's our full analysis of the May 2026 GitHub breach where TeamPCP used a compromised Nx Console VS Code extension to steal 3,800 internal repositories. Covers the attack chain from TanStack to GitHub, credential harvesting, Sigstore forgery, and organizational remediation. corgea.com/research/githu…

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

“Given enough eyeballs, all bugs are shallow” was the open source security model. AI changes that. Now it’s closer to: given enough inference, all bugs are shallow. It creates a hard question: Who pays for the inference? We benchmarked Claude Opus 4.6 with a 1M-token context window against Corgea v1 and v2 on a manually verified vulnerable application suite. corgea.com/blog/given-eno…

🚨 The Mini Shai-Hulud / TeamPCP supply-chain campaign expanded into the AntV ecosystem with a rapid npm publish wave against the `atool` maintainer account and a smaller set of packages associated with the `prop` account. corgea.com/research/antv-…

Here's a trick: automated fixing backlog with coding automations like Cursor, Claude Code, or Codex. youtu.be/dMoof9u4oQo

We've all been seeing the news and it's clear that GitHub Actions isn’t just CI anymore. It's now part of your supply chain. We put together a practical checklist for locking it down, but the highest-impact controls are pretty simple: 🧵

@IceSolst Thanks for the shoutout! Love the work you're doing explaining all of this.

I often get asked this question, so I made a video and came up with this diagram, and defined the terms in it. Let me know your thoughts on "what is security engineering"

New episode with @asadeddin from @CorgeaInc: 00:00 Fundraising = vanity metric? 04:15 Lean teams ftw 11:04 How Corgea pivoted 14:42 Don't do design partnerships, ask people to pay 27:36 Building better tools 39:25 Survival / mindset

@JamesBerthoty @IceSolst @ZeroPathAI Thanks for tagging us James. Here's a real example where the comment and the vulnerability don't match. You can see the comment says SQL injection but Corgea is clearly marking this as a false positive despite the comment.

@IceSolst @ZeroPathAI Early versions were, but I've seen them and @CorgeaInc tune in a way where they actually tend to call out that they comment is wrong - I'd like to think it's because in my test repo I have misleading comments 😂

1-minute summary of the Claude security-review bypass

Thanks @CorgeaInc for sponsoring HackMyClaw. We increased the prize to $300 USD and they are helping cover some of the API costs.

@IceSolst @ZeroPathAI Thanks for adding Corgea into the chain. I would highly recommend our whitepaper that we released last year: corgea.com/blog/whitepape…

There's a few new AI-native SAST tools on the market, and they work well. - Almanax - Amplify Security - @CorgeaInc - DryRun Security - Gecko Security - @ZeroPathAI (they have some insane blog posts, but that's a story for another post)

Magnificent blog post on "AI SAST" tools by @MegaManSec tl;dr in thread

Corgea Launch Week is here! We’re dropping a brand-new feature every day—and today, it’s a game-changer for policy creation. With Policy Playground and Policy Optimizer, we’re redefining how AppSec teams create, test, and refine detection logic. corgea.com/blog/ai-powere…

Have you heard about corgi... I mean @CorgeaInc? Now it's time to learn about it. 𝗖𝗼𝗿𝗴𝗲𝗮 is an AI code security reviewer that finds and fixes your insecure code. Discover more at theresanagentforthat.so/agents/corgea. #theresanagentforthat #corgea #aiagents

Link of product hunt to support: producthunt.com/posts/corgea-3

Corgea's live on Product Hunt! Head over to the link in the comments to support.