Endor Labs

“Can you trust the MCPs on GitHub without running your own scans?” In this clip with Hacker Valley Media, Varun Badhwar and Henrik Plate talk about a hard truth: We’ve built implicit trust into open source. And attackers are exploiting it every week. Whether it’s traditional dependencies, MCPs on GitHub, or models pulled from Hugging Face, third-party code needs to be vetted like anything else running on your system. Trust is not a control. Verification is. https://lnkd.in/gdRv_p9D #AppSec #MCP

Great evening with the OWASP Saint Louis community. Thanks to everyone who joined, both in person and online. We had attendees from across the U.S. and around the world, and the energy in the room (and on the stream) was great. Appreciate OWASP St. Louis for hosting, and thanks to Nate Michalov and Jake Federlick for making it a fun and thoughtful session! #AppSec #OWASP #OWASPStLouis

Most companies today deal with tens of thousands of alerts from code scanning tools. That overhead becomes a tax on both security and developer productivity. We built Endor Labs differently. An AI-native platform designed with code context at the center. The result: - ~90%+ reduction in security alerts - Faster remediation, because fixes come with real context developers can act on - Security that fits naturally into AI-native development workflows, including coding agents and MCP integrations The goal isn’t more alerts. It’s quieter pipelines, faster fixes, and more secure software, by default. https://lnkd.in/gdRv_p9D #AppSec #MCP

Why reachability matters in SCA (and why transitive dependencies are the real risk). If you’re using Software Composition Analysis, finding vulnerable packages is only half the story. The real question is: can your application actually reach that vulnerable code? In this video, Robert Haynes, Endor Labs Technical Marketing Engineer, explains 👇 • What “reachability” really means in AppSec • Why transitive dependencies are where most teams get tripped up • How reachability cuts noise and helps teams focus on issues that actually matter If you’re tired of long vulnerability lists that don’t map to real risk, this one’s for you. https://lnkd.in/gtbzCe_U #ApplicationSecurity #AppSec #SCA #SoftwareSupplyChain #DeveloperExperience #DevSecOps

Check out this detailed write-up from security researcher Cristian-Alexandru Staicu about 8 node.js CVEs disclosed today. #nodejs #appsec #CVE #vulnerability

Team night out at a Sharks game this past weekend 🦈 Good game, good company, great time!

We’re excited to welcome our newest Ewoks to the Endor Labs team! - Krunal Patel, Sales Development Representative - Abhishek Jain, Product Operations Manager - Ramachandran Diraviyam, Account Executive - Peyton Kennedy, Senior Security Researcher - Robert (Bobby) Martinez, Account Executive - Sai Bhargav, Senior Customer Success Engineer Glad to have you with us 💚

There is a new supply chain attack targeting the n8n ecosystem. npm has removed multiple malicious packages, but attackers could re-use this tactic. ⚠️ What happened?  A malicious npm package, disguised as a legitimate Google Ads integration, was published as an n8n community node. Once installed, it quietly harvested OAuth tokens and API keys during normal workflow execution and exfiltrated them to an attacker-controlled server. 🤔 Why does it matter?  This attack is dangerous because organizations have trust that any installed node inherits in the ecosystem. This mirrors earlier campaigns like Shai-Hulud, which abused GitHub Actions workflows. Attackers are moving “up the stack” to platforms that centralize credentials and automate business logic. 🛠️ How can you reduce n8n risk?  1️⃣ Use official nodes and prefer n8n's built-in integrations 2️⃣ Audit packages before installing them 3️⃣ Scrutinize package metadata 4️⃣ Monitor outbound network traffic  5️⃣ Use isolated service accounts with the least privileges Read the deep dive here: https://lnkd.in/gzcFxNGG #malware #n8n #npm

Join Nate Michalov for the #OWASP St. Louis Meetup: Lessons from npm’s Dark Side: These Are Not the Packages You’re Looking For. The JavaScript ecosystem, especially npm, is a prime target for supply-chain malware, and with JavaScript powering the web, the impact is widespread. We’ll cover why attackers target npm, walk through real attack examples, and share what you can do to protect yourself and your organization. 🗓 January 13, 2026 ⏰ 6:00–7:30 PM Register here: https://lnkd.in/gkYWKAjH #StLouisMeetup #AppSec