Semgrep

What if your HTTP library was actually malware? For about three hours yesterday, that was true after a supply chain attack compromised Axios (https://lnkd.in/gUxj4FvV), which gets 100 million npm downloads per week. Read more on how we are helping customers determine whether they were affected:

An axios security incident appears to have been quickly contained by NPM. With ~40 million weekly downloads even a short window could have been impactful from a malicious dependency included in the package. Great write-ups from OpenSourceMalware and StepSecurity are worth a read if you want to know more about how this malware works. Initial reports are this is similar to some of the incidents last summer, a maintainer's account was compromised allowing a dependency being added to axios's package.json with a malicious postinstall. Semgrep customers can check the advisories from the web dashboard (link in comments) to verify if the impacted versions have been pulled as a supply chain dependency.

Semgrep Community Edition applies community-maintained rule sets to analyze files tracked by the `.git` file inside your project, identifying security vulnerabilities and insecure coding patterns. After the scan completes, Semgrep CLI produces a concise, structured summary of findings, including rule identifiers, matched code snippets, and file locations to support further investigation and remediation. The community edition is free. Read more👇 https://lnkd.in/gB6TNF-R

🔵Tomorrow is the next Security Rulez! Join Dr. Katie Paxton-Fear and Akira Brandt as they dig into what happens when identity systems become the next security bottleneck. As regulators push platforms to prove who their users are, identity verification is becoming a central part of modern compliance. However, these systems also introduce new challenges around security, privacy, and risk. 📆 March 31 🕛 8:00 AM PT / 3:00 PM UTC Register now👇 (🔗 in the comments)

Last chance to join our live workshop on responding to emergent supply chain threats in EMEA! 🌀 📆On Thursday 2 April at 11:00 UK, Mehdi Mhamedi will walk through how to use Semgrep to detect risky packages, understand impact, and move from detection to remediation with a clear, repeatable approach. If the next dependency issue landed today, would your team be ready? Register here👇(🔗 in the comments) #AppSec #SupplyChainSecurity #DevSecOps #SoftwareSupplyChain #CyberSecurity

Python has at least eight(?!) ways to execute system commands, and most of them are injectable if you pass user input. We maintain a command injection cheat sheet that covers the common patterns and their fixes. A few highlights: Vulnerable: subprocess.call("grep -R {} .".format(user_input), shell=True) os.system("grep -R {} .".format(user_input)) Safe: subprocess.run(["grep", "-R", user_input, "."]) The fix is almost always the same: use array-based arguments instead of string formatting, and keep `shell=False` (which is the default). When you pass an array, each element becomes a separate argument. The shell never interprets the input, so injection is structurally impossible. Semgrep has pre-built rules for all of these: - python.lang.security.audit.dangerous-subprocess-use - python.lang.security.audit.subprocess-shell-true - python.lang.security.audit.dangerous-system-call Run semgrep --config "p/python" on your codebase and these rules are included. Or browse the full cheat sheet at https://lnkd.in/gYRS2SyS to see all the patterns covered for Python, Java, JavaScript, Go, and Ruby. #SAST #AppSec

👤ID verification is rapidly shifting from a “nice to have” feature to a regulatory requirement, especially across EMEA. But as platforms rush to comply, new security and privacy risks are emerging. In the next episode of Security Rulez, Dr. Katie Paxton-Fear joins Akira Brand to discuss the real-world implications of identity verification, including the risks of third-party verification services and how companies can design systems that prioritize both security and user privacy. Join the conversation as we unpack what responsible identity verification looks like today. 📆 March 31 🕛 8:00 AM PT / 3:00 PM UTC Register now👇

The Telnyx Python SDK (~742K downloads/month) was compromised with malicious code hidden in a .wav file, triggered just by importing the library. No function call needed. This isn't just a supply chain issue but a Client SDK trust problem. Read more in a blog post that breaks down a systemic issue with vendor sdk security workflows.

Client SDKs are:  • trusted like internal code  • shipped like third-party dependencies  • rarely reviewed like production systems That gap can become a security blind spot. I wrote up a summary of what happened with the latest python package that was quarantined and why this pattern keeps repeating:

While y'all were at RSA, I was doing incident response with the team at Semgrep, making sure we weren't next on the GHA Wall of Shame. Isaac Evans and Romain Gaucher told me to write about it, so I did! Read it here: https://lnkd.in/dz7TpJan