Blog
Security context, API design, and engineering from the Attestd team.
Data & InsightAttestd Now Covers Authentication Infrastructure and Language Runtimes
Attestd adds authentication infrastructure and language runtimes: Keycloak, Samba, Linux-PAM, Python, PHP, Erlang/OTP, and more.
Robert6 min read
Data & InsightSigned, Verified, and Malicious: The Shai-Hulud Attack on TanStack and Mistral
TanStack and Mistral AI packages were compromised with valid SLSA Build Level 3 attestations. npm audit passes. Provenance verification passes.
Robert6 min read
Data & InsightExpanding Coverage: Security Tooling and CI/CD Infrastructure
Attestd now covers HashiCorp Vault, Jenkins, GitLab, Gitea, and Tekton Pipelines. Jenkins CVE-2024-23897 and GitLab CVE-2023-7028 are both CISA KEV.
Robert5 min read
TutorialHow to Give Your LangChain.js Agent a Security Sensor
Give your LangChain.js agent real-time CVE and supply chain data. Tool definition, agent executor pattern, and runnable TypeScript with verified API responses.
Robert8 min read
Data & Insightnpm Supply Chain Monitoring Is Live on Attestd
Attestd now monitors 45 npm packages for malicious publishes alongside PyPI. @bitwarden/cli 2026.4.0 returns compromised: true. One API call, both ecosystems.
Robert6 min read
EditorialPCPJack Is Scanning Your Docker, Redis, and MongoDB Instances for Credentials
PCPJack is a new credential-theft framework targeting exposed Docker, Kubernetes, Redis, and MongoDB. All four are covered by Attestd.
Robert4 min read
Editorialvm2 Was Abandoned After a CVSS 10.0 Sandbox Escape. Millions of Projects Still Depend on It.
Attestd now covers vm2, Node.js, Deno, and Hermes. The vm2 sandbox was abandoned after back-to-back critical CVEs. Here's what the data shows across all four.
Robert5 min read
Data & InsightAttestd for JavaScript: CVE Risk State and Supply Chain Integrity, Now in TypeScript
The Attestd JavaScript SDK is live on npm. Zero dependencies, full TypeScript types, dual ESM and CJS builds. Same API, now in Node.js.
Robert5 min read
pytorch-lightning 2.6.3 Was Backdoored. 11 Million Monthly Downloads. No CVE.
pytorch-lightning 2.6.3 contained a backdoor that downloads a JS runtime on import and steals cloud credentials. No CVE exists.
Robert4 min read
Data & InsightExpanding Coverage: Web Proxies, Message Queues, and the Infrastructure Layer AI Stacks Depend On
Web proxies and message queues are invisible to dependency scanners. Attestd now covers 12 new products in both layers. Here's what the data shows.
Robert5 min read
TutorialHow to Give Your LangChain Agent a Security Sensor
Build a LangChain StructuredTool that checks CVE risk state and supply chain integrity for any dependency. Step-by-step with working code.
Robert7 min read
Editorialelementary-data 0.23.3 Was Compromised for 48 Hours Before Anyone Noticed
elementary-data 0.23.3 was backdoored via GitHub Actions injection on April 24. No CVE exists.
Robert6 min read
Data & InsightExpanding Container and Orchestration Coverage: 7 New Products Now Supported
Attestd now supports runc, Docker Engine, containerd, Kubernetes API Server, kubelet, Helm, and Argo CD.
Robert5 min read
EditorialThe Same Threat Actor Who Compromised LiteLLM Just Hit Bitwarden
TeamPCP compromised Bitwarden CLI on npm April 22. The same actor hit LiteLLM on March 24. Here is the campaign pattern and what to check.
Robert6 min read
Data & InsightSupply chain integrity, now on /v1/check
Attestd now returns supply chain integrity signals alongside CVE risk state. One API call, two independent signals, 26 monitored PyPI packages.
Robert6 min read
Data & InsightNIST Just Admitted It Can't Keep Up With CVEs. Here's What That Means for Your Vulnerability Data.
NIST can no longer enrich most CVEs. Here's what the April 15 policy change means for vulnerability data, and why Attestd's confidence score field exists.
Robert6 min read
Flowise Is Being Actively Exploited. Your AI Stack Has More Exposure Than You Think.
CVE-2025-59528 in Flowise is under active exploitation. Patching the app is step one. Check your entire AI dependency stack for CVE and supply chain exposure.
Robert5 min read
Data & InsightExpanding Database Coverage: 11 New Products Now Supported
Attestd now supports 11 new database engines including MySQL, MongoDB, Elasticsearch, and Microsoft SQL Server.
Robert6 min read
EditorialThe LiteLLM attack and the two security layers your AI agent stack is missing
The LiteLLM supply chain attack exposed a gap most AI agent developers haven't thought about. Here's what happened.
Robert6 min read
How to Stop Your AI Agent from Deploying Vulnerable Software
Stop your AI agent from deploying vulnerable software. Python SDK guide covering LangChain tool integration, async patterns, and outside-coverage handling.
Robert10 min read