SecureNexus GRC
SECURENEXUS
  • Home
  • Blog
  • Case Studies
  • About
Get Started
SecureNexus GRCSECURENEXUS

Empowering digital organizations with unified security — through connected insights, trusted expertise, and end-to-end coverage.

A venture of

X-Biz TechVentureswww.xbizventures.com

Services

  • Regulatory Consulting
  • Red Teaming
  • Cloud Security
  • Security Operations
  • Security Training
  • Product Advisory

Products

  • Perimeter (CTEM)
  • Cloud Security Posture Management
  • Vulnerability Management
  • SOVA (SCA)
  • Third Party Risk Management

Company

  • About Us
  • Contact
  • Blog
  • Case Studies

Resources

  • Security Assessment
  • Breach Probability

Contact

[email protected]
+91 1800-266-8575

Certifications & Compliance

Certifications and Empanelment — D.U.N.S Registered, ISO 9001:2015, BQC, IAF, ISO 27001, Nasscom, ESC, CERT-IN Empanelled
Offices

Mumbai (HQ)

118-120 IJMIMA Complex, Mindspace, Malad West, Mumbai 400064

Pune (GCC)

Unit 2-B, 1st Floor, Cerebrum IT Park, Kalyani Nagar, Pune 411014

Mumbai (Tech & Innovation)

315, 3rd Floor, Lodha Supremus, Andheri East, Mumbai 400069

Dubai

M35, Warba Centre, Al Muraqqabat, Deira, Dubai

X-Biz TechVentures

© 2026 X-Biz TechVentures Pvt. Ltd. All rights reserved.

  1. Home
  2. Blog
  3. Security
Security

Security Articles

Best practices, frameworks, and strategies for building robust security postures and protecting your digital assets.

View All Articles

26 Articles

Your Frontend Is a Goldmine: Hidden Secrets in JavaScript Bundles
Security
2026-04-11
9 min read
Your Frontend Is a Goldmine: Hidden Secrets in JavaScript Bundles
Minification isn't encryption. Every JavaScript bundle your app ships is readable in seconds — and attackers know it. This post breaks down exactly what they find: hardcoded API keys, internal endpoints, client-side business logic, and exposed source maps. Plus the five controls that make sure none of it leaves your codebase.
Frontend Security
JavaScript
API Keys
Arjun Gupta
Read More
Post-Install Scripts: The Most Dangerous Feature Nobody Talks About
Security
2026-04-10
8 min read
Post-Install Scripts: The Most Dangerous Feature Nobody Talks About
Every npm install silently executes lifecycle scripts from every package in your dependency tree — no prompts, no sandboxing, with full system access. This post breaks down how post-install scripts work, why they are the most exploited vector in npm supply chain attacks, and the five controls that eliminate the risk.
Supply Chain Security
npm Security
Post-Install Scripts
Arjun Gupta
Read More
GlassWorm's Zig Dropper: Why Every IDE Is Now Part of the Attack Surface
Security
2026-04-10
10 min read
GlassWorm's Zig Dropper: Why Every IDE Is Now Part of the Attack Surface
GlassWorm is a multi-ecosystem supply chain campaign that embeds invisible Unicode-obfuscated payloads in GitHub repositories, npm packages, and VS Code extensions. Its latest evolution uses a Zig-compiled native dropper to spread across developer IDEs, harvesting credentials and enabling autonomous supply chain propagation. This analysis breaks down the infection chain, explains why the IDE is now a Tier-0 attack target, and provides actionable controls for security teams.
Supply Chain Security
IDE Security
GlassWorm
Vitish Bhardwaj
Read More
VeloraDEX SDK Poisoned: Anatomy of an npm Supply Chain Attack Targeting DeFi Developers
Security
2026-04-08
12 min read
VeloraDEX SDK Poisoned: Anatomy of an npm Supply Chain Attack Targeting DeFi Developers
On April 7, 2026, a malicious version of the VeloraDEX SDK — the JavaScript library used by DeFi applications to aggregate liquidity across decentralized exchanges — was published to npm. Version 9.4.1 of @velora-dex/sdk contained a three-line payload prepended to the bundled distribution file that silently downloaded and executed a remote bash script from a server in Romania. The malicious code was not present anywhere in the GitHub repository. Only the npm tarball carried the backdoor, and it ran on every import — no install hooks, no postinstall scripts, nothing that conventional security scanners flag. For a package that sits in the dependency tree of DeFi applications handling real money, this is about as dangerous as supply chain attacks get.
VeloraDEX
ParaSwap
npm
Sunil Kumar
Read More
Axios Compromised: Anatomy of an npm Supply Chain Attack
Security
2026-03-31
15 min read
Axios Compromised: Anatomy of an npm Supply Chain Attack
I spent the morning of March 31, 2026 pulling apart what turned out to be one of the more carefully orchestrated npm compromises I have seen. Someone hijacked a lead maintainer's account for axios — the HTTP client that 174,000+ packages depend on — and pushed two rogue versions containing a hidden dependency. That dependency carried an obfuscated postinstall script that dropped a cross-platform RAT, phoned home to a command server, then erased every trace of itself from disk. The whole operation ran for about three hours before npm pulled the versions, but three hours is an eternity when you are talking about a package at the foundation of the JavaScript dependency graph.
axios
npm
Supply Chain Attack
Vitish Bhardwaj
Read More
TeamPCP Strikes Again: PyPI Supply Chain Breach Turns Telnyx SDK Into a Credential Stealer
Security
2026-03-27
12 min read
TeamPCP Strikes Again: PyPI Supply Chain Breach Turns Telnyx SDK Into a Credential Stealer
On March 27, 2026, two malicious versions of the Telnyx Python SDK (4.87.1 and 4.87.2) were uploaded to PyPI using stolen credentials linked to the TeamPCP threat group. The payload used WAV steganography to hide credential-stealing malware inside audio files. PyPI quarantined both versions within six hours, but the package's 742,000+ monthly downloads meant significant exposure.
TeamPCP
Telnyx
PyPI
Mohit Kumar
Read More
LiteLLM Compromised on PyPI: How a Hijacked Maintainer Account Turned an LLM Gateway Into a Credential Stealer
Security
2026-03-25
11 min read
LiteLLM Compromised on PyPI: How a Hijacked Maintainer Account Turned an LLM Gateway Into a Credential Stealer
LiteLLM versions 1.82.7 and 1.82.8 on PyPI were compromised by the TeamPCP threat actor group. The malicious packages stole credentials, deployed persistence via systemd, and performed lateral movement in Kubernetes clusters. The attack propagated from the earlier Trivy supply chain compromise through LiteLLM’s own CI/CD pipeline.
Supply Chain Security
PyPI
LiteLLM
Mohit Kumar
Read More
Trivy VS Code Extension Compromise: What Happened, How AI Agents Were Weaponized, and What You Should Do
Security
2026-03-20
9 min read
Trivy VS Code Extension Compromise: What Happened, How AI Agents Were Weaponized, and What You Should Do
CVE-2026-28353 is a CVSS 10.0 supply chain compromise of the Trivy VS Code Extension on OpenVSX. A stolen GitHub PAT, extracted through a misconfigured pull_request_target workflow, was used to publish tampered extension versions that weaponized local AI coding agents for credential theft and data exfiltration via prompt injection.
CVE
Supply Chain Security
AI Security
Yash Kumar
Read More
The Enemy in the Editor: Securing the Modern Software Supply Chain
Security
2026-03-14
12 min read
The Enemy in the Editor: Securing the Modern Software Supply Chain
From malicious IDE extensions to AI hallucination attacks and self-replicating supply chain worms — the modern development toolchain is under sustained attack. This blog examines the four major vectors and what organisations should do about them.
Supply Chain Security
SBOM
SOVA
Hazza Shaikh
Read More
Your Employees Are Feeding Sensitive Data to AI Models — And You Have No Inventory of Which Ones
Security
2026-03-14
9 min read
Your Employees Are Feeding Sensitive Data to AI Models — And You Have No Inventory of Which Ones
Shadow AI is spreading faster than shadow IT ever did. Employees are granting AI tools full machine access, pushing sensitive data into models, and nobody is tracking which tools are in use. Here is why AI-BOM and AI asset registers are becoming essential governance infrastructure.
AI Security
AI-BOM
AI Governance
Yash Kumar
Read More
Client-Side Encryption Is Not a Security Strategy
Security
2026-03-14
9 min read
Client-Side Encryption Is Not a Security Strategy
How JavaScript and Mobile Crypto Creates a False Sense of Security — and Quietly Defeats Your WAF
Client-Side Encryption
API Security
WAF Bypass
Yash Kumar
Read More
Why CTEM Is Becoming the Backbone of Modern Security Programs
Security
2026-03-14
5 min read
Why CTEM Is Becoming the Backbone of Modern Security Programs
Why vulnerability management alone isn't cutting it anymore and how CTEM gives security leaders a framework to continuously discover, prioritise, and remediate real exposure across sprawling attack surfaces, not just chase CVE counts.
CTEM
Threat
ASM
Yash Kumar
Read More
13