TL;DR: [email protected] is malicious. It uses Bun runtime smuggling for EDR evasion, scrapes GitHub Actions runner memory for secrets, harvests credentials from every major cloud provider and secrets management system, exfiltrates through RSA-4096 encrypted channels, injects a secret-dumping GitHub Actions workflow disguised as Dependabot, poisons every branch of compromised repos with files disguised as Claude […]

Executive Summary [email protected] is a compromised npm package used in a supply chain attack to steal GitHub, npm, and multi-cloud credentials. The malicious version introduces a preinstall hook that executes an obfuscated payload, harvesting secrets and exfiltrating them via GitHub APIs. This activity is part of the Shai-Hulud worm campaign targeting CI/CD pipelines. Detection Summary […]

Executive Summary Our research team identified a sophisticated supply chain attack targeting SAP Cloud Application Programming (CAP) framework packages. The campaign demonstrates advanced techniques for compromising trusted publishing pipelines and injecting malicious code directly into enterprise CI/CD workflows. The activity has been attributed to TeamPCP, a financially motivated threat actor known for large-scale supply chain […]

TL;DR: Time-to-Exploit (TTE), the gap between vulnerability disclosure and first observed exploitation, has gone negative. Mandiant’s M-Trends 2026 report shows attackers now exploit vulnerabilities, on average, before a patch is publicly available and we see the same in running environments. That breaks the foundational assumption every legacy CNAPP architecture was built on — that defenders […]

Security teams need confidence that the cloud environments they rely on are covered. In fast-moving organizations, that confidence can be difficult to maintain as new accounts are added, workloads shift, and infrastructure changes across teams, regions, and providers. Upwind now makes it easier to validate cloud security coverage across connected cloud accounts and runtime sensors. […]

Everyone is catastrophizing about AI-powered attacks. Here’s the contrarian case, and why the window is narrower than it looks. TL;DR: The prevailing narrative at Black Hat 2025 was that AI has made attackers unstoppable. The most credentialed voice in the room said the opposite, and the data backs him up. The Mythos release through Project […]

Notes on the Vercel / Context.ai OAuth incident, and how Upwind stands with its community through moments like these. On April 19, Vercel disclosed a security incident stemming from a compromise of a third-party AI tool, Context.ai, whose Google Workspace OAuth application was abused by an attacker. A Vercel employee signed into Context.ai using their […]

Key Takeaways Anthropic’s Mythos model has been called a cybersecurity watershed and a marketing stunt in the same week. Both camps have a point. Mythos appears to represent a real capability gain, and Anthropic deserves credit for releasing it through Project Glasswing rather than dropping it in the wild. At the same time, independent replication […]

The AI security industry is calling 2025 the new 1990s. The uncomfortable truth is that we predicted every mistake we’re making right now — and made them anyway. TL;DR: AI security in 2025 is repeating the same structural mistakes that made the early internet a golden age for hackers — not because the industry forgot […]

Cloud security teams are expected to move fast. They need to investigate issues quickly, answer leadership questions clearly, and stay ahead of risk across environments that keep growing more complex. But in many organizations, too much time is still spent on work that does not reduce risk. Before a team can investigate an issue, they […]