Dawnguard’s $6.3 million raise and public launch point to a growing market for software that tries to move cloud security decisions earlier, before those decisions harden into live risk.
A reported flaw in Anthropic's buffa library shows how attacker-controlled parsing can turn compatibility features into availability risk, even in memory-safe code.
A proof-of-concept around agentic coding tools shows how repository content, setup logic, and hidden instructions can be chained into remote shell execution.
Buffer overflows remain a live threat because one bad bounds check can still turn into a crash, a leak, or remote code execution when the vulnerable code sits on a network-facing path.
IaC security pushes defenses upstream, because in many cloud environments the most expensive mistake is not a live misconfiguration but the code that creates it.
The shift from low-code and no-code into AI-assisted orchestration is changing who can build software, but it is also changing what must be trusted, reviewed, and contained.
A new agent-risk label is pushing a familiar security lesson into a more dangerous setting: if a coding assistant treats untrusted tool output like instructions, the boundary between data and action can collapse.
A growing obsession with token-heavy AI coding can make activity look like progress, but the deeper risk is a loss of control over what gets written, reviewed, and trusted.
A reported worm tied to 73 Microsoft repositories on GitHub shows how modern coding tools can turn a project open into a security event.
A new survey points to a widening gap between AI-driven software delivery and the controls meant to keep flawed code out of production.
Microsoft is adding a two-hour delay before Visual Studio Code extensions update automatically, turning update timing into a security control against supply chain abuse.
A malicious npm package was used in a demonstrated attack path that rerouted Claude Code integrations and put OAuth bearer tokens in the crosshairs.
A newly published proof-of-concept tied to VS Code has pushed a familiar developer convenience into uncomfortable territory: if an authentication token can be reached through an editor workflow, the practical risk can be as serious as any password leak.
A reported zero-day in Visual Studio Code puts a familiar workflow under a harsher light: one link click, one credential class, and a potentially wide blast radius depending on token scope.
A reported weakness in Visual Studio Code’s webview layer raises a familiar but dangerous question: what happens when an editor boundary and a GitHub authorization token sit too close together?
A free security-guidance plugin for Claude Code points to a broader shift in AI tooling: catching risky code while it is being proposed, not after it has already landed.
A free terminal plugin for Claude Code is designed to flag risky AI-generated edits before they land in the normal pull-request and CI workflow.
Anthropic has added a free security-guidance plugin to Claude Code, pushing vulnerability review into the coding session before changes reach a pull request.
Code strings and interface clues suggest Anthropic may be preparing a controlled expansion of its restricted Mythos model into coding and security workflows, where permissions matter as much as raw model power.
A reported compromise tied to a Visual Studio Code extension shows how a single trusted tool can become a gateway into source-code assets and internal development workflows.