La semaine dernière vous avez peut etre loupé :
🛡️ Kubescape : la plateforme de sécurité Kubernetes tout-en-un - 18/05/2026
Kubescape v3 unifie hardening, scan CVE, analyse RBAC, SBOM et monitoring continu dans un seul outil open-source ; si tu ne l’as pas encore intégré dans ta pipeline, voici pourquoi c’est le moment….
📋 Kyverno en 2026 : Policy-as-Code, CEL et intégration Sigstore - 20/05/2026
L’API v2, le CEL natif et Sigstore v2 font de Kyverno en 2026 un moteur de policies Kubernetes radicalement plus puissant ; le framework de test Chainsaw change aussi la donne pour valider ses règles en CI….
🔑 K01 : Contrôles d’accès API non sécurisés - 22/05/2026
L’API Server est la cible numéro un des attaquants sur Kubernetes ; l’authentification anonyme et les tokens mal gérés restent en 2026 les vecteurs d’entrée les plus fréquents sur les clusters compromis….
☸️ OWASP Top 10 Kubernetes en 2026 : état des risques et nouvelles mitigations - 22/05/2026
CEL, Sigstore, Gateway API, OpenTelemetry ; les outils de mitigation du Top 10 OWASP Kubernetes ont sérieusement évolué et cet état des lieux mis à jour te donne les réponses concrètes aux menaces actuelles….
#DevSecOps #OWASP #CloudSecurityAlliance
Liste de liens interessants de la semaine
🔗 Well-architected best practices for software supply chain security There have been multiple notable supply chain attacks using the npm Registry since September: Shai-Hulud, Chalk/Debug, one abusing tea.xyz tokens, and recently axios. Thanks to community efforts involving the Amazon Inspector team, the Open Source Security Foundation, and others, the affected packag….
🔗 Gitea Vulnerability Exposes Private Container Images without Authentication Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerab….
🔗 Shadow AI Agents: The Insider Threat You’re Not Monitoring Yet The shadow AI conversation that started two years ago was about data leakage. An employee pasted a customer list into ChatGPT. A developer dropped proprietary code into a chat window. The risk was real, but the shape of it was familiar. Security teams responded with the controls they already had: Da….
🔗 Anthropic Prepares Claude Mythos for Wider Release Through Claude Code Anthropic is preparing to expand access to its most advanced AI model, Claude Mythos, signaling a shift from tightly controlled deployment to a staged commercial rollout under a new version labeled Mythos 1. The move suggests the company is transitioning from experimental security use cases toward b….
🔗 Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow | Microsoft Security Blog The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing your email, retrieving records from your CRM, writing and executing code, and taking actions on you….
🔗 New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool’s NTFS archive handler. Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resid….
🔗 Hackers Exploit Azure RBAC to Steal Key Vault Secrets Hackers are increasingly exploiting cloud identity and access management systems, and a methodical, sophisticated, and multi-layered attack, where a threat actor we track as Storm-2949 launched a relentless campaign with a singular focus: to exfiltrate as much sensitive data from a target organizati….
🔗 Hackers Exploit Shared CDNs to Evade Domain Reputation Filters Hackers are increasingly abusing shared Content Delivery Network (CDN) infrastructure to bypass domain-reputation-based security controls using a newly identified technique called “Underminr.” Underminr is not a conventional software flaw but an inherent weakness in how modern CDNs handle multi-tena….
🔗 Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack New TrapDoor supply chain campaign , an active attack deploying 34 malicious packages and over 384 related versions across npm, PyPI, and Crates.io to steal developer credentials and cryptocurrency wallets. The operation explicitly targets developers in the crypto, DeFi, Solana, and AI communities b….
🔗 Pentest Agent Suite – Bug Bounty Framework for Claude Code and 6 AI Coding Tools A fully autonomous bug-bounty framework called Pentest Agent Suite has been open-sourced, delivering 50 specialized security agents, 26 slash commands, 19 CLI tools, and a cross-IDE installer across seven major AI coding platforms — Claude Code, OpenAI Codex, Google Gemini, Cursor, Windsurf, VS Code….
🔗 Lessons for organizations from the Verizon 2026 Data Breach Investigations Report This is my favourite time of the year, not just because spring is here and the promise of summer is on the way. But also, because one of my must reads each year gets published. There are a few must read reports that I have on my reading list for each year and the Verizon Data Breach Investigations R….
🔗 GitHub Strengthens npm Security With Staged Publishing Protection GitHub has introduced a major security enhancement to the npm ecosystem with the general availability of staged publishing and new install-time controls in npm CLI version 11.15.0. These updates are designed to reduce software supply chain risks, particularly those arising from compromised developer….
🔗 Hackers Compromise 34 npm, PyPI, and Crates Packages in Major Supply Chain Attack Hackers have launched a large-scale software supply chain attack targeting developers across npm, PyPI, and Crates.io, compromising at least 34 open-source packages and hundreds of associated versions. Security researchers at Socket are tracking the campaign as “TrapDoor,” a crypto-focused credentia….
🔗 MiniUpdate RAT Abuses Azure C2 for Targeted Espionage A sophisticated espionage campaign by the Iran-nexus advanced persistent threat group known as Screening Serpens also tracked as UNC1549 and Smoke Sandstorm deploying a newly identified remote access Trojan (RAT) family called MiniUpdate against targets in the United States, Israel, and the United A….
🔗 Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026 The complexity of modern software development requires security to be deeply embedded within the engineering pipeline rather than treated as an afterthought. Whether you are managing extensive front-end codebases or back-end API integrations, catching flaws before code is compiled is crucial. This p….
🔗 Week in review: GitHub breached via poisoned VS Code extension, critical NGINX flaw exploited Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise GitHub CISO Alexis Wales has named the malicious VS Code extension behind the breach they suffered at the hands of the threa….