Hello test,

Supply chain attacks surged in May, AI is rewriting the threat model, and EU compliance deadlines are no longer on the horizon, they're here. Here's what your AppSec team needs to know.

What's new

Mend.io and GitHub Partner to Expand Renovate Cloud for Open Source Maintainers

For GitHub Maintainer Month, Mend.io extended Renovate Cloud's free OSS plan to open source maintainers. The post covers what's included and how automated, noise-filtered dependency updates work at the project level.

👉 Read the announcement

Securing The Build: The AI-Generated Dependency Problem

How AI-generated dependencies create new software supply chain risks. Generative AI has introduced attack surfaces your supply chain defenses were never designed to catch, including slopsquatting, poisoned training data, and glitch tokens that break model behavior. If you build with AI, this one's for you.

👉 Listen to the episode

The EU Cyber Resilience Act: A Complete Compliance Guide for 2026 and Beyond

August enforcement isn't theoretical anymore. This guide breaks down exactly what the CRA requires, including vulnerability disclosure timelines, security update obligations, and CE marking requirements for digital products, and maps them to what your AppSec program needs to have in place. Written for security and engineering teams who own the compliance work, not just the legal summary.

👉 Read the EU CRA compliance guide

What We're Tracking

• Mini Shai-Hulud Is Back: 172 npm and PyPI Packages Compromised in Latest Wave

• Inside the RubyGems Supply Chain Attack: How Mend Defender Caught a Coordinated Flood Before It Spread

• Mini Shai-Hulud Hits @antv: 323 npm Packages Compromised Through the atool Maintainer Account

• Laravel-Lang Composer tag-rewrite Supply Chain Attack

👉 Follow Mend.io's threat research

Vice President of Global Cybersecurity | Enterprise Software ($1B+) | ⭐⭐⭐⭐⭐

"It is hard to assign a value to an incident you prevented from happening. You need to understand and manage your risks. Your company and customers demand it. You cannot put a price on trust, and Mend.io helps us maintain the trust we have with our customers."

- Nick Banta, Vice President of Global Cybersecurity, Trimble

Events & webinars

Glasswing, Mythos, and the New Rules of AppSec

June 25 | 11:00 AM ET

AI agents can now find vulnerabilities that automated tools ran past five million times. This session covers what that shift means for AppSec programs built around slow-cycle scanning, and what proactive defense looks like when offensive AI is part of the threat model. Saoirse Hinksmon, Head of Product Marketing at Mend.io, and Daniel Wyrzykowski, Product Manager at Mend.io.

👉 Register now

Dead or Alive: Hunt the Malicious Package

June 18 | 11:00 AM ET

Hunt a real dependency attack using SBOMs, AI-BOMs, and open source scanners. Explore hidden risks in public ML models — malware, insecure AI skills, vulnerable dependencies — and keep Frontier Stack Inc. from getting pwned.

Find the outlaw before it hits production for a chance to win a Raspberry Pi 5!

👉 Register now

AWS Summit

June 17 | New York City

Mend.io at AWS Summit NYC. Come find us if you're attending.

👉 Reserve time with the team

OWASP Global AppSec

June 25-26 | Vienna

Mend.io at OWASP Global AppSec EU in Vienna. Book a meeting onsite.

👉 Reserve time with the team

Black Hat USA

August 4-6 | Las Vegas

Mend.io will be at Black Hat USA this August. Get on the calendar early.

👉 Reserve time with the team

Mend.io secures the code layer and the AI layer, and continuously protects the interaction between them, where modern risk emerges.

Send to a Friend ·  View this Online ·  Manage your preferences ·  Unsubscribe

Mend.io: 4 Ariel Sharon St, Givatayim 532004, Israel