Upwind’s Runtime Vulnerability Management
Contents
Further Reading

No npm Token Required: Inside the AsyncAPI Supply Chain Attack
Executive Summary Upwind identified a critical supply chain compromise across five npm packages in the @asyncapi scope, published on July 14, 2026 via two separate branch compromises in two GitHub repositories. The attacker never touched an npm token. They abused each project's own CI pipeline through GitHub Actions OIDC to publish the malicious packages. The…

AI Proves the Real Bottleneck Was Never Finding Vulnerabilities
Let this sink in: finding security vulnerabilities was never the bottleneck, vulnerability prioritization was. AI-scale discovery is about to make that impossible to ignore, and the teams that see it coming will pull ahead of the rest. Here's what kept me up this week. Anthropic ran a frontier model against some of the world's most…

Upwind gives you SBOM coverage across every cloud workload
Software supply chain risk doesn't stop at the container boundary. Most organizations still run a meaningful share of production workloads on virtual machines across legacy services, data pipelines, and infrastructure that was never containerized. The Upwind Platform creates SBOMs at runtime, delivering greater accuracy than build-time tools by continuously monitoring your live environment. Format adds…