Security

Security Insights

Security best practices, threat analysis, and practical guidance for protecting your organization's data and infrastructure.

February 24, 2026

[Security]

OpenClaw Infostealer Attack: What the First AI Agent Identity Theft Means for Your Security

Infostealer malware stole OpenClaw AI agent configs, gateway tokens, and behavioral guidelines. With 135,000+ exposed instances and 1,184 malicious skills, here's what security teams need to know.

Read article

OWASP MCP Security Guide: What It Gets Right, What's Missing, and How to Actually Implement It

OWASP released a practical guide for secure MCP server development. We analyze the 8 security domains, highlight what matters most for SaaS companies, and connect it to SOC 2 and ISO 27001 compliance.

[Security]FEB 20

npm Supply Chain Attacks in 2026: What SaaS Engineering Teams Must Know

npm supply chain attacks are no longer theoretical. With Shai-Hulud compromising 796 packages and the September 2025 hijacking affecting 2 billion weekly downloads, SaaS teams need practical defenses beyond npm audit.

[Security]FEB 14

AI-Enabled Attack Patterns: What SaaS Companies Need to Know from Google's Q4 2025 Threat Report

Google's Threat Intelligence Group identified three emerging AI attack patterns in Q4 2025: distillation attacks, AI-powered malware, and nation-state AI integration. Here's what SaaS companies need to understand and how to defend against these evolving threats.

[Security]FEB 13

Phishing in 2026: ClickFix, Adversary-in-the-Middle, and AI-Powered Social Engineering

Phishing has evolved beyond Nigerian prince emails. Modern attacks use ClickFix techniques to trick users into running malicious commands, adversary-in-the-middle proxies to bypass MFA, and AI-generated content indistinguishable from legitimate communications. Here's how to update your defenses.

[Security]FEB 13

Supabase Security Best Practices for Production Apps

Learn how to secure your Supabase application with Row Level Security, proper authentication, API key management, and more. Prevent data breaches with this comprehensive security guide.

[Security]FEB 6

Moltbook Data Breach: AI Agent Security Lessons

In January 2026, Moltbook exposed 1.5 million API keys due to a Supabase misconfiguration. Learn what went wrong and how to prevent similar database security failures.

[Security]FEB 3

The Top AWS Security Misconfigurations we Find in Customer Environments

Unencrypted databases, exposed endpoints, IAM misuse: discover the AWS misconfigurations we fix most often during SOC 2 and ISO 27001 audits.

[Security]FEB 1

2026 Supply Chain Security Report: Lessons from a Year of Devastating Attacks

Software supply chain attacks doubled in 2025, with global losses reaching $60 billion. Analyze major attacks like Shai-Hulud, learn SOC 2 and ISO 27001 compliance requirements, and implement practical defenses.

[Security]JAN 30

Secrets Management 101: Stop Storing Credentials in .env Files

Learn why .env files are a security risk - especially with AI coding agents - and how to implement proper secrets management with tools like Vault, AWS Secrets Manager, and Doppler.

[Security]JAN 27

MDM for Startups: Why We Built a Security-First Solution

We built an MDM that gives startups real device security (encryption, remote wipe, inventory) without enterprise bloat, reducing risk, simplifying compliance, and avoiding yet another vendor.

[Security]JAN 23

Nx Supply Chain Attack Exposes Thousands of Developer Credentials on Github - What you should do to keep your organization secure

In August 2025, attackers compromised popular Nx npm packages, embedding malware that stole developer credentials and published them openly on GitHub. Millions risk exposure, from API keys to cloud access tokens. Organizations must urgently rotate credentials, update dependencies, audit logs, and adopt stricter supply chain security practices.

[Security]SEP '25

MCP Security Risk: Hardcoded Credentials in AI Tool Configurations

48% of MCP servers recommend insecure credential storage. Learn secure alternatives using input variables and vault-based injection.

[Security]JAN '25

Other platforms check the box

We secure the box

Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.

Get Started