Semgrep

Malicious node-ipc package. If your applications use client/server messaging, inter-process communication between mobile/desktop and web services, or orchestrate messaging and workflows you should verify your CI/CD builds haven't pulled down the package today. This package is wikipedia infamous from peacenotwar dependency in 2022 that attacked any IP addresses originating from Belarus and Russia. To check your projects at scale and additional remediation steps: semgrep.dev/blog/2026/not-…

How much time does your security team waste re-explaining the same context to your security scanner every single week? 👀 Yeah, we know...   We analyzed thousands of user-managed memories to understand what context teams are encoding. When we clustered the full set of platform memories by goal, two categories represent nearly half (47.5%) of all the context security teams are adding to their SAST scanners: 🔵 Non-production environments (25.6%): Letting the scanner know that findings in test scripts or local dev tools aren't production risks. 🔵 Framework protections (21.9%): Accounting for security controls that your middleware or ORM already handles. With Semgrep Memories, instead of manually dismissing the same patterns over and over during triage, you encode the logic once and let the AI apply that context at scale. Imagine all the time you can save in all future scans. Dive deeper👇 semgrep.dev/blog/2026/insi…

Semgrep CLI and editor plugins surface issues while you're writing code. In this example, Semgrep immediately flagged this vulnerability in the developer's IDE You don't need to wait for a scan at the end of the pipeline to catch issues like this. Try writing and testing your own rules in the Semgrep Playground 👇 semgrep.dev/playground/

A Mini Shai-Hulud-style supply chain attack is hitting TanStack Router and dozens of npm packages. Semgrep researchers found encrypted credential exfiltration, persistence mechanisms, and a dead man’s switch: IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner. Details as new information is learned about how it works: semgrep.dev/blog/2026/tans…

Why do most agent skills fail? Most skills fail for the same reason: they’re written like documentation rather than decision support. After building and testing hundreds of them, we’ve identified several tips that consistently separate the skills agents apply reliably from the ones they ignore or misapply: 1. Keep the scope tight 2. Provide concrete examples 3. Encode decision logic 4. Reference specific frameworks and languages 5. Explain what to do, not what to avoid 6. Learn from existing collections like github.com/semgrep/skills Check out the full guide to learn how to write skills that make your AI-generated code more secure. 👇 semgrep.dev/blog/2026/secu…

This single Semgrep rule caught a command injection issue in a Node.js snippet. Now scale that across: - thousands of community rules - Pro rules maintained by security researchers - your own custom rules tailored to your codebase Semgrep supports 35+ languages and fits directly into your dev workflow to catch known vulnerable patterns early. You can also write and test your own rules in minutes using the Semgrep Playground 👇 semgrep.dev/playground/

Where does your security or code program actually stand?  If you aren't tracking these metrics, you might be flying blind. Here is what your team should be taking into consideration 👇

AI is already scanning code, reviewing pull requests, and generating fixes. So where does that leave AppSec engineers? 👀 In our next Security Rulez session, Dr. Katie Paxton-Fear (@InsiderPhD) sits down with Lyft Tech Lead Anshuman Bhartiya to explore how the role of AppSec is evolving in an AI-driven world and what engineers should focus on next. 📆 May 20 🕛 8:00 AM PT / 4:00 PM UTC Register now to join the conversation:👉  semgrep.dev/events/securit… #AppSec #CyberSecurity #AI #DevSecOps

London gave us a clear signal last week.🇬🇧 Across our EMEA Customer Advisory Board (CAB) and AWS Summit London, one theme kept coming up: How do we make security seamless in the SDLC without slowing developers down? At our EMEA CAB, we had candid conversations with customer champions across EMEA around product direction, AI, developer workflows, and what modern AppSec teams need next. At the AWS Summit London, the conversations reinforced the same points. ✅ Teams want speed. ✅ They want security integrated where developers already work. ✅ They need to secure AI-generated code. ✅ And they are done dealing with noisy tools.  The opportunity is clear: build security that developers trust, AppSec teams can rely on, and modern software teams can move fast with. Read the complete blog for all the insights👉semgrep.dev/blog/2026/apps…

How should AppSec teams think about Mythos? AppSec teams should know that attackers will use models like Mythos to find 0-days as quickly as possible. But if your team is already drowning in vulnerability noise, simply adding a new AI "bug finder" isn't helpful, it just pads the backlog. You need a way to prioritize and fix, not just detect. Fixing bugs is only half the battle. The future of AppSec isn't just about remediation, it’s about writing secure code from the start. That’s what we are building Check out the full article to see how we're closing the gap with Mythos 👇 semgrep.dev/blog/2026/myth…

We're thrilled to welcome @cathy_polinsky to Semgrep as Co-CTO and VP of Engineering. She joins at a moment when AI-generated code is flooding enterprise codebases faster than security teams can review it  and she's here to build the engineering organization to change that. Cathy brings 20+ years of engineering leadership, including two prior CTO roles, at Salesforce, Stitch Fix, and Shopify.  Learn more about her and what to expect from the press release. businesswire.com/news/home/2026…

Writing more regex won’t fix noisy security tools. What it needs is context. Semgrep Multimodal looks at the mitigating context around a finding and the nuances that basic static analysis alone can never catch.  The result? Fix what matters, ignore what doesn't. Reduce manual triage by 20% the very first day you turn it on. Demonstrate ROI from the start, not 6 months down the line. See through the noise: semgrep.dev/products/semgr…

We have a packed schedule of in-person summits and technical workshops coming up. Here is where you can find us this month: 🟢 In-Person Events: - May 5: Cyberkicks Denver – Catch Meghan Schoettley in Denver for a local security community meetup. - May 7: AWS Summit Stockholm – We’re heading to Sweden! Stop by to talk cloud security and automated remediation. - May 14: SF Secure Software and AppSec Summit – Join Alex Kausen and Chris Brooks in San Francisco for a day dedicated to the future of AppSec. 🔵 Virtual & Webinars: - May 20: Security Rulez: Should AppSec Engineers Still Learn AppSec? Anshuman Bhartiya and Dr. Katie Paxton-Fear discuss how the role of the AppSec engineer is changing in the AI era. - May 21: Shaken, Stirred, and Secured – A virtual cocktail class where we talk security while mixing drinks. (North America) - May 27: Hands-On Workshop: Semgrep Workflows – A practical session on building and deploying security pipelines at scale. Whether you're looking for deep technical training or just want to connect with other security pros, we'd love to see you there. View all event details here👇 semgrep.dev/events/

Learn how to detect and block malicious dependencies in 3 simple steps with Semgrep Supply Chain 👇

Are your docker secrets exposed? When you build with secrets in `ARG`/`ENV`, they get baked into image layers (viewable with `docker history`). Build cache stores them in plaintext. Anyone with image access extracts them instantly. The damage: - Docker history exposes all ARG/ENV values permanently in image layers - CI/CD systems log every build step, making secrets searchable and accessible to unauthorized users - Docker's build cache stores unencrypted secrets on disk, vulnerable to machine compromise - Secrets appear in pipeline logs, dashboards, and centralized logging systems without proper redaction - Image manifests and registry backups contain plaintext secrets even in "deleted" versions One ARG can get your infrastructure compromised. Use this Semgrep rule to catch them automatically: semgrep scan --config secret-in-build-arg.yaml It flags secret patterns (password, api_key, token, credential) before they reach production. github.com/semgrep/semgre…

This is not going to be the last attack in this campaign: semgrep.dev/blog/2026/mali…

The Mini Shai-Hulud campaign has reached Packagist. intercom/intercom-php@5.0.2 was compromised with the same payload seen in today's npm and PyPI attacks. Because Packagist mirrors tags from upstream Git repositories, and Git tags can be force-updated to point to a different commit, meaning the attacker overwrote the existing version. And on top that rather than an npm-style preinstall hook, the PHP artifact registers itself as a Composer plugin and subscribes to post-install-cmd and post-update-cmd events (and then downloads the same Bun payload).

Full IOCs and details: semgrep.dev/blog/2026/mali…

PyTorch Lightning is a popular Python framework that simplifies training deep learning models, widely used in AI/ML research and engineering. Versions 2.6.2 and 2.6.3 were compromised with Shai-Hulud malware, for all Semgrep Supply Chain customers we published a rule at 2026-04-30T14:23:16Z, check the advisory panel to see if you are affected. If you have a match: rotate GitHub tokens, cloud credentials, and API keys from the affected environment, and audit your repos for unexpected files in .claude/ and .vscode/.

the blog semgrep.dev/blog/2026/mali…

shai-hulud compromised lightning on PyPI and named their malware campaign EveryBoiWeBuildIsAWormyBoi anyway we wrote some rules, full write up in the blog #EngineeringTakeover