April 30, 2026 · 5 min
Mini Shai-Hulud Jumps to PyPI: Lightning Package Backdoored
Two malicious versions of the PyTorch lightning package activate silently on import, sweeping credentials, cloud secrets, wallets, and CI tokens.
Security assessments, strategic guidance, and practical roadmaps for growing companies
Three ways of working together, usually in this order, plus a self-service review we're building. From first call to funded roadmap, it's usually about six weeks.
01 · ASSESS · WEEKS 1–3
Your environment scored against CIS Controls v8: a written report with a risk score, the gaps that matter, and the ones that can wait.
02 · PLAN · WEEKS 4–6
A 12-month plan in two documents: a technical backlog for your engineers, a business case for your executives.
03 · ADVISE · ONGOING
A senior security voice in the room every month: planning calls, policy reviews, vendor risk. No full-time hire needed.
IN THE WORKS
A scored baseline you'll be able to run yourself. Until it ships, we run the same review with you directly.
Every engagement, no exceptions.
We don't resell third-party tools or take vendor commissions. When we recommend something, it's because it's right for you.
You work with the consultant doing the work. No account managers, no handoffs to a junior team after the contract is signed.
Your findings, scores, and roadmap stay yours. We don't name clients, share data, or reuse your results anywhere.
April 30, 2026 · 5 min
Two malicious versions of the PyTorch lightning package activate silently on import, sweeping credentials, cloud secrets, wallets, and CI tokens.
April 29, 2026 · 9 min
A preinstall hook in four SAP packages drops an 11.7 MB credential stealer onto developer machines and CI runners.
March 31, 2026 · 10 min
The lead axios maintainer's npm account was hijacked and two malicious versions shipped a cross-platform RAT to ~100M weekly downloads.
Send a short note about your environment and what's keeping you up at night. We'll tell you honestly whether we can help. If we're not the right fit, we'll say so.