Home / Companies / Semgrep / Blog / May 2026

May 2026 Summaries

13 posts from Semgrep

Filter
Month: Year:
Post Summaries Back to Blog
In 1998, members of L0pht Heavy Industries warned U.S. senators about the vulnerabilities in the internet, asserting they could disable it in 30 minutes, a claim underscoring the fragile foundation of critical systems built without inherent security. Over the years, while awareness and tools for identifying and responding to threats have significantly improved, the underlying issue of insecure code persists, with the cycle of "ship it, patch it, breach it" remaining largely unchanged. The advent of AI presents both a challenge and an opportunity, as AI-assisted development accelerates code production, potentially amplifying existing vulnerabilities, yet offers promising tools for real-time, context-aware vulnerability detection integrated into development processes. The evolving landscape suggests a shift towards embedding security within the development workflow, emphasizing prevention at the source rather than post-production fixes, with the next phase of progress hinging on unified efforts between security and development teams to prioritize secure coding practices.
May 28, 2026 1,291 words in the original blog post.
The text discusses the challenges and strategies associated with improving the efficiency and effectiveness of security remediation practices in software engineering. It highlights the importance of optimizing five key areas—timing of findings surfacing, signal quality, tool consolidation, reachability precision, and quick response by engineering teams—to achieve higher fix rates and minimize technical debt. The text emphasizes the significance of addressing security findings promptly, particularly those identified in pull requests, to reduce context-switching delays and prevent the accumulation of unresolved issues. It also underscores the benefits of using a unified tool across multiple programming languages to streamline workflows and improve coordination. Additionally, the text points out the advantages of reachability analysis for third-party dependencies and the risks associated with delays in addressing security findings beyond 90 days. Overall, it advocates for a proactive and integrated approach to security remediation to maximize return on investment and maintain control over project quality and security.
May 27, 2026 1,555 words in the original blog post.
The author recounts their recent experience judging two hackathons at Semgrep and DataGrail, where the impact of AI coding tools transformed the typical hackathon dynamic by enabling every team to deliver polished, functional projects. Unlike past hackathons characterized by incomplete demos and ideas, these events showcased projects with working code, polished UIs, and real data, leading to the challenge of selecting a winner among uniformly strong entries. The hackathons emphasized product-centric thinking over mere technical execution, with successful teams having a clear understanding of the problems they addressed. The author notes that AI tools have shifted the focus from merely coding to discerning what is worth building. They advocate for integrating hackathon-style energy into regular development cycles, highlighting its potential to accelerate product strategy and development. The piece concludes with a call to action, inviting like-minded individuals to join Semgrep in building impactful solutions.
May 22, 2026 787 words in the original blog post.
The text discusses the challenges and solutions in the realm of application security (AppSec) with the emergence of AI-driven tools like Mythos. It highlights the necessity for defenders to adapt by automating security measures and reassessing AppSec strategies to keep pace with rapid developments in AI-generated code and evolving attacker tactics. Semgrep CEO Isaac Evans emphasizes the importance of tools like Semgrep Guardian for enforcing security policies, detecting threats, and automating fixes in AI-generated code before it enters version control. The text introduces new rulesets aimed at identifying risky patterns and malicious activities in AI applications, such as prompt injection attacks and insecure configurations. Autofix, a feature currently in beta, is designed to automatically generate pull requests for fixing security vulnerabilities, enhancing the efficiency of addressing findings. The document also underscores Semgrep’s efforts to improve scan speeds for large codebases, reducing the time required for security assessments. Additionally, it invites readers to a webinar featuring experts discussing the capabilities and limitations of AI security tools, emphasizing the importance of maintaining strong security fundamentals amidst these technological advancements.
May 19, 2026 1,146 words in the original blog post.
Supply chain attacks have been on the rise, with a significant number traced back to Shai-Hulud and its variants orchestrated by TeamPCP, who have even open-sourced the worm code. These attacks exploit the dependency ecosystem's vulnerabilities, spreading through automated CI/CD pipelines, and are often initiated through social engineering, such as phishing, or exploiting GitHub Actions configurations. Once a package is compromised, it can rapidly infect others within the same ecosystem, often going unnoticed due to the implicit trust in established packages. While security measures like rotating credentials and enabling phishing-resistant MFA are recommended, they are largely reactive and fail to address the underlying conditions that make these attacks viable. The persistent nature of these threats, coupled with the open-sourcing of the worm code, suggests that such attacks will continue to evolve, affecting not just npm but other ecosystems like PyPI and Packagist. The responsibility for ecosystem security remains shared among maintainers, consumers, and third-party security vendors, but this approach is not sustainable in the long term.
May 19, 2026 2,067 words in the original blog post.
A maintainer's compromise led to the injection of malicious dependencies into several popular npm packages, affecting a wide array of the ecosystem, including high-usage libraries like @antv/*, timeago.js, and size-sensor. This breach exposed hundreds of packages to potential security risks, spreading malicious code throughout the supply chain. Semgrep has deployed rules to detect these malicious dependencies, advising developers to scan their projects for impact. The compromised packages are integral to user interface functionalities, such as time display, data visualization, and responsive design, often used as transitive dependencies in larger frameworks. Alternatives are suggested, such as javascript-time-ago, moment.js, Apache ECharts, and native browser support like ResizeObserver, to mitigate risks and provide additional features such as internationalization or improved developer experiences. The advisory warns that the malware executes during package installation, potentially affecting development environments, CI systems, and internal tooling, thereby emphasizing the need for thorough investigation and caution across all applications, not just public-facing ones.
May 18, 2026 635 words in the original blog post.
Researchers identified malicious activity in recent versions of the node-ipc npm package, which contained an infostealer malware active for about two hours. This malware fingerprinted host environments, accessed local files, and exfiltrated data via a custom DNS server, leaving minimal traces except for DNS queries and a temporary file. Notably, node-ipc had previously been involved in a controversy in 2022 when maintainers added "protestware" targeting Russian and Belarusian IPs during the Ukraine-Russia War. Semgrep provides advisories and rules to detect such threats, urging users to scan projects for these package versions and follow remediation steps if affected. Remediation includes rotating credentials as the malware targets a broad range of credentials, from cloud services to development tools. Specific indicators of compromise, such as affected package versions and exfiltration domains, are outlined to aid in detection and response.
May 14, 2026 524 words in the original blog post.
Semgrep Multimodal is an advanced vulnerability detection solution that combines AI reasoning with rule-based analysis to address challenges such as false positives, determinism, and cost control in production environments. By integrating static analysis with AI, the system narrows down security-relevant code regions, using pattern matching, control flow, and data flow analysis to generate candidates for evaluation. This focused approach allows the AI to reason about the intent and security properties of the code, resulting in a 37% cost reduction and improved consistency and precision compared to using large language models alone. The use of persistent "Memories" and context documents helps reduce false positives by providing necessary context, while incremental analysis minimizes redundant evaluations and noise. Evaluated across multiple open-source repositories, Semgrep Multimodal demonstrated an 8.2x increase in true positives and a 54% reduction in false positive rates compared to a model-only baseline, showcasing its ability to enhance coverage without compromising precision or reliability.
May 13, 2026 1,080 words in the original blog post.
The recent detection of TanStack Router malware marks an evolution in the series of Dune-themed cyberattacks within the NPM ecosystem, notably following the Mini Shai-Hulud campaign that previously impacted PyTorch Lightning. This new variant exhibits enhanced capabilities, including an intricate encryption layer, a secrets collector updated to support AWS and AI tools, and a dynamic C2 architecture that evades traditional domain takedowns. The malware exploits GitHub Actions for spreading, bypassing npm installs, and leveraging GitHub's Trusted Publisher system. It achieves persistence through IDE hooks and is able to spread by simply opening a project in an IDE, such as VS Code or Claude Code. These upgrades have resulted in extensive compromise across various platforms, including TanStack, UiPath, and OpenSearch, with the potential for significant credential theft and further supply chain attacks. The attackers have demonstrated an iterative approach, learning from past defenses to craft more resilient and sophisticated methods of infiltration and persistence.
May 12, 2026 3,219 words in the original blog post.
TanStack, a key component in the React ecosystem, has evolved from a set of utilities to an influential application platform impacting data fetching and full-stack architecture. While TanStack Query has widely been adopted, TanStack Router is gaining popularity, emphasizing type-safe, loader-driven designs. A recent security compromise in TanStack's ecosystem highlights increased targeting of developer tools by attackers, who used install-time execution paths and obfuscated payloads to capture sensitive information like GitHub tokens and cloud credentials. The malicious packages, which included persistence mechanisms and destructive potential if credentials were revoked, targeted several NPM packages. Semgrep provides resources to identify and mitigate these threats, advising isolation and forensic analysis before revocation of exposed credentials. The incident underscores the need for vigilance in managing supply chain risks in software development environments.
May 11, 2026 770 words in the original blog post.
In the realm of software composition analysis, accurately inventorying dependencies across codebases has been challenging, especially with the complexity of modern applications and their shifting dependencies. Semgrep addresses this challenge with its Dynamic Dependency Resolution feature, which allows for a comprehensive and accurate dependency inventory without the need for lockfiles by resolving full dependency trees through manifest parsing and repository integration with package managers. This capability is crucial for identifying vulnerabilities, ensuring compliance, and preventing security breaches from malicious dependencies. Semgrep's solution supports numerous languages and ecosystems, including Java, Kotlin, C#, and Python, and integrates with private package registries such as Artifactory and Nexus to ensure complete visibility. By leveraging Semgrep Managed Scans, organizations can quickly inventory dependencies across vast codebases without additional infrastructure burdens, enhancing supply chain security and closing the lockfile gap.
May 07, 2026 797 words in the original blog post.
Security scanners like Semgrep are effective at identifying common vulnerabilities but often require customization to achieve accuracy specific to an organization's codebase. This customization can be achieved through 'memories'—custom rules that encode detection logic relevant to specific environments and frameworks. In an analysis of these memories, two categories—non-production environments and framework protection—account for nearly half of all memories, addressing frequent false positives by recognizing test-only code and internal security controls that generic scanners might miss. Non-production memories inform the scanner about code paths that are irrelevant to production, while framework protection memories capture existing security measures like authentication decorators and query builders. Memories are created either proactively by security teams or generated from developer triage decisions, transforming individual judgments into scalable institutional knowledge. To minimize false positives, organizations should prioritize encoding non-production environments and framework protections, as these represent the largest sources of repeated noise. The detailed findings and best practices for implementing memories are further explored in the Remediation at Scale report, which includes comprehensive data and recommendations for improving Static Application Security Testing (SAST) effectiveness.
May 06, 2026 1,191 words in the original blog post.
The EMEA Customer Advisory Board event in London, organized by Semgrep, highlighted the importance of integrating security seamlessly into the software development lifecycle, emphasizing the role of AI in modern application security. Over two days, industry practitioners and Semgrep executives engaged in discussions and deep dives into topics like agentic application security and supply chain risk mitigation. Attendees expressed a strong desire for security solutions that are autonomous, accurate, and integrate into existing developer workflows without being obstructive. The event underscored the urgency of adapting to AI's impact on code generation and the need for robust security measures to address new vulnerabilities, such as business logic flaws, introduced by AI-generated code. Following the Customer Advisory Board, the AWS Summit in London continued the dialogue, with a focus on how AI can be harnessed to enhance security without hindering developer speed. Semgrep's multimodal approach, which combines static analysis with AI and agentic reasoning, was showcased as a solution to improve detection accuracy and reduce false positives. The events collectively conveyed that the security community is eager for solutions that work with developers, not against them, and Semgrep is positioning itself as a key partner in this evolving landscape.
May 05, 2026 1,086 words in the original blog post.