Weekly Security Roundup: Supply Chain, Cloud Hardening, AI Agents

by TechHub

Security coverage this week centers on defending the software supply chain, cloud hardening, agent identity controls, and updated developer tools for risk management. As attacks involving AI and regulatory changes become more frequent, teams face growing pressure to reinforce automated workflows and compliance.

Modern Supply Chain Threats and the Role of AI

A new multi-stage attack targeted Nx and npm, using stolen tokens and compromised GitHub workflows to deploy malicious packages—with AI-driven reconnaissance marking the first public case of LLMs used for open source exploits. This incident affected over 5,500 repositories and triggered stronger 2FA requirements, Trusted Publisher policies, and workflow security. Upcoming EU regulations require machine-readable SBOMs and regular vulnerability disclosures by December 2027, prompting an increased focus on automating compliance checks and securing DevOps processes.

GitHub Security Ecosystem: Releases, Secret Scanning, and Risk Assessment

GitHub previewed immutable releases with asset and tag locking, using Sigstore cryptographic attestations for asset validation. Secret scanning now adds validators for ten new types and launches a free Secret Risk Assessment tool for organizations, summarizing exposed tokens and guiding review and remediation. These tools expand coverage for credential leak detection and offer administrators new workflow protections.

Cloud Infrastructure and Platform Security Enhancements

Azure improved platform security with Boost hardware isolation, integrated HSMs (FIPS 140-3), Caliptra silicon root-of-trust, and firmware Code Transparency Services. Confidential VMs and containers support compliant data-at-rest and in-use security. Microsoft’s ransomware report details hybrid attacks exploiting Entra ID and misconfigurations, with guidance for detection and cloud estate locks.

Securing the Next Generation: AI Agents and Cryptographic Identity

Best practices for AI agent security include using Entra Agent ID, RBAC, agent registries, and Defender/Purview analytics to manage prompt injection risk and lifecycle drift. Microsoft’s Crescent cryptographic library supports privacy-preserving digital identity using Groth16 SNARK, improving JWT and mobile credential privacy without major infrastructure changes.

Automated Vulnerability Remediation in Microsoft DevOps Workflows

Qwiet AI expands its support for Azure DevOps, Azure Boards, and GitHub, providing SARIF static analysis, policy integration, and secret management. The AutoFix engine automates risk inspection and patching, integrating remediation directly into developer workflows.

Other Security News

ASP.NET 10 APIs now return HTTP 401 Unauthorized instead of HTTP 302 for unauthenticated requests, streamlining client-side error handling per REST standards.