Wiz io

65% of Startups from Forbes AI 50 Leaked Secrets on GitHub | Wiz Blog A Wiz investigation into the Forbes AI 50 reveals 65% of leading AI startups had leaked secrets. See real examples, leak types, and how to prevent this.

🤖 65% of Forbes AI 50 companies leaked secrets on GitHub. Shay from our research team revealed how AI speed without security = leaks waiting to happen.
Full Wiz Research report 👉 www.wiz.io/blog/forbes-...

New CTF challenge ($20,000 IN PRIZES) 💥

We're running "Operation Cloudfall" - a live CTF during BlackHat & zeroday.cloud on December 10-11.

Get your free pass to the event today: zeroday.cloud/operation-cloudfall
See you in London 🇬🇧

Path-Man | Wiz Find exploitable exposures before hackers do

🕹️ Meet Path-Man: Your new favorite game. 👾👾👾

Our 1-minute Wiz ASM game has arrived!

🤔 Here's the challenge: Navigate the attack surface to reach exploitable risk before the attackers get you.

Think you've got the skills? wiz.io/path-man

🎃 Something spooky's brewing in the cloud...

Introducing a new CTF challenge - "Game of Pods" 🕸️

💀 Written by top Azure researcher & worth 30 points, it's our BIGGEST challenge yet!

Get your skills ready for zeroday.cloud: cloudsecuritychampionship.com

Need a partner to finish that exploit chain for ZERODAY.CLOUD?

We just launched our Research Collaboration Center at zeroday.cloud/collab to connect researchers, combine skills, and meet the deadline. 🤝

The clock is ticking... ⏱️

Our biggest reminder yet. ZERODAY.CLOUD.

A first-of-its-kind, open-source cloud hacking competition.

Find vulnerabilities in the critical open-source software that powers the cloud, and compete for your share of a $4.5M prize pool.

➡️ www.zeroday.cloud

🎁 We're giving away 2,000 SHIFT LEFT keyboards ↓

Want one on your desk?
Fill out the form >> redeem.reachdesk.com/lp/wiz/shift...

That's it! The keyboard is on its way 📦

Why are we doing this? 👀
A secret game is coming… and the whole world is invited.

Supply Chain Risk in VSCode Extension Marketplaces | Wiz Blog Wiz Research uncovered 500+ leaked secrets in VSCode and Open VSX extensions, exposing 150K installs to risk. Learn what happened and how it was fixed.

🚨 Wiz Research uncovered 100+ leaked VSCode publisher tokens that could let attackers push malicious updates to 185K+ installs. We partnered with Microsoft to secure tokens and protect the ecosystem.

Emerging Threat: AI-Powered Malware Attacks | Wiz Blog From LameHug to s1ngularity, attackers are invoking AI directly in malware payloads.

@scottpiper.bsky.social highlights an emerging trend of attackers incorporating AI into their payloads, providing recent examples, and discussing the implications of this trend.

Full analysis: www.wiz.io/blog/the-eme...

Emerging Threat: AI-Powered Malware Attacks | Wiz Blog From LameHug to s1ngularity, attackers are invoking AI directly in malware payloads.

🤖 We're witnessing something unprecedented with AI agents:
Malware that literally prompts ChatGPT, Claude, and other LLMs to write its own attack code. Live. On victim machines.

Introducing ZERODAY.CLOUD🕵️‍♀️
Be the first to participate in the first-of-its-kind cloud hacking competition. 🤝

WIN HUGE PRIZES from our up to 4.5 million dollar prize pool. 💰🏆

Join us to help make the cloud a safer place. Register your exploit now >> zeroday.cloud

@fortune.com JUST DROPPED A FEATURE ON Wiz 🔥

If you've been following the Wiz story, this one's for you.

HUGE shoutout to everyone who made this story worth telling. You helped build something Fortune couldn't ignore 💙

fortune.com/article/wiz-...

🚨 #Shai-Hulud: Major npm supply chain attack.

100+ packages weaponized with stolen GitHub tokens, stealing secrets, hijacking repos, and auto-propagating like a worm.

Guidance + detections inside

www.wiz.io/blog/shai-hu...

Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond | Wiz Blog A deeper look at the npm debug/chalk supply-chain incident: deobfuscating the wallet-hijacking browser interceptor, quantifying the ~2-hour exposure with Wiz telemetry (~99% package prevalence, ~10% m...

Impact: code reached ~10% of cloud envs in 2hrs. Risk highest for crypto apps serving JS. Blocklist bad versions, clear caches, rebuild, scan bundles. Wiz detections live in Threat Center. Learn more: www.wiz.io/blog/widespr...

🚨 Major npm hijack: Attackers took over Qix's account (chalk, debug & more). Malicious versions briefly hit npm, injecting browser code to hijack crypto transactions.
DuckDB ecosystem is also affected.

WizOS Is Here: Container Security from the Image Up | Wiz Blog WizOS is now in public preview: minimal, secured container images built by Wiz with near-zero CVEs. Join now to access the Secured Image Catalog.

Meet WizOS 💥 Public Preview! Secure, minimal container images with near-zero CVEs. Less patching, more speed, swap images right in your CI/CD & IDEs.
www.wiz.io/blog/wizos-t...

Wiz Uncovers SES Abuse Campaign Using Stolen AWS Access Keys | Wiz Blog From leaked AWS access keys to large-scale spam: Wiz Research uncovered a live Amazon SES abuse campaign, turning insights into early-warning detections.

🚨 One leaked #AWS key fueled a global phishing campaign. Wiz traced the attack, stopped it with Defend alerts, and added protections so one key never opens every door.

Full story 👉 www.wiz.io/blog/wiz-dis...

🚨 Your Cloud DFIR Desk Mat is here!
A first-ever poster mapping MITRE ATT&CK to key AWS, Azure & GCP log sources and API events.

📥 Get your copy: threats.wiz.io/cloud-dfir-p...

🚨 New CTF: Azure APT 🏆

Step into the shoes of an attacker targeting Azure. Use a malicious OAuth app, bypass restrictions, and capture the flag.

Can you solve all 12 CTF's and WIN our belt?

Test your skills with this month's CTF by Lior Sonntag 👉 www.cloudsecuritychampionship.com/challenge/3

s1ngularity: supply chain attack leaks secrets on GitHub: everything you need to know | Wiz Blog Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.

📂 Thousands of secrets leaked into attacker-created public GitHub repos.

👉 The repos are gone, but the damage has been done
- Rotate credentials + upgrade immediately.

Full breakdown here: www.wiz.io/blog/s1ngula...

s1ngularity: supply chain attack leaks secrets on GitHub: everything you need to know | Wiz Blog Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.

🚨 hashtag#s1ngularity: a supply chain attack hiding in the Nx npm package

Malicious versions stole hashtag#GitHub tokens, SSH keys, wallets, and secrets, even hijacking AI CLI tools to help exfiltrate data.

A new type of long-lived key on AWS: Bedrock API keys | Wiz Blog New AWS Bedrock keys simplify authentication while raising security considerations.

Full breakdown by @scottpiper.bsky.social : www.wiz.io/blog/a-new-t...

- Long-term keys are tied to IAM Users (and yes, we've already seen them exposed on GitHub)
- Short-term keys work differently, but both act as bearer tokens, a surprising shift from AWS's usual sigv4 approach

The good news? AWS is now scanning GitHub for exposed Bedrock keys.

🚨 New keys just dropped… and they're already leaking.

#AWS introduced Bedrock API keys, both long-term and short-term. On the surface, they look like just another way to authenticate.
But here's the twist ⬇️

🤖 AI agents are everywhere now.

So we put together a practical security guide that actually maps out what's happening in the wild. 👇

No fluff. Just the stuff security teams need to know.

Save this cheat sheet 💾

🤖 AI agents are everywhere now.

So we put together a practical security guide that actually maps out what's happening in the wild. 👇

No fluff. Just the stuff security teams need to know.

Save this cheat sheet 💾

Introducing Wizmojis.com >> Our cloud security emojis for your Slack & WhatsApp that finally get YOU.

💬 Some favorites:
* blame-the-intern
* cve-part
* phishing-season

⬇️ Comment below — What emoji do you need on Slack?
The best ideas might just make it into the next pack of Wizmojis.

Wizdom: Our first-ever user conference | Wiz An exclusive gathering of cloud security leaders, innovators, and practitioners.

You're officially invited to the BIGGEST WIZ EVENT of the year... WIZDOM!

We're going all in: Wizdom is your exclusive, in-person pass to the people & ideas shaping the future of cloud security ⬇︎

📍 New York City, Nov 3-5
📍 London, Nov 17-19

Your calendar won't block itself.
www.wiz.io/wizdom

Introducing Wiz for Exposure Management | Wiz Blog Wiz now supports exposure management across cloud, code, and on-prem – combining scanner data into one view to help teams prioritize and fix real risk.

Introducing... 🥁 Say hello to Wiz for Exposure Management! 🥳
Wiz for Exposure Management is a NEW way to unify, prioritize, and fix exposures everywhere it lives: in your cloud, code, and on-prem infrastructure.

Learn more: www.wiz.io/blog/wiz-for...

Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover | Wiz Blog Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIA's Triton Inference Server.

The breakdown:

- An internal memory name leaks in an error
- The public API gets turned against the backend
- And just like that, an attacker can take over the server

This puts #AI models, sensitive data, and entire environments at serious risk.

Full research → www.wiz.io/blog/nvidia-...