Posts by
For over three years now (since November 2022), Boost Labs has been publishing research on CI/CD attack techniques, documenting how attackers move through build pipelines, steal credentials, and pivot into cloud environments. Security teams read the research…and put the fixes on the backlog. Theoretical vulns don’t light a fire under any team.
Over the past few years, Boost Security’s research team at Boost Labs has been deeply curious about how attackers might pivot from traditional application vulnerabilities to exploiting the CI/CD machinery itself. The team has spent extensive time studying "Living Off The Pipeline" (LOTP) techniques, mapping out how build tools, runner memory, and service accounts can be manipulated to turn the software factory against itself.
TL;DR We're releasing bagel, an open-source CLI that inventories security-relevant metadata on developer workstations. Credentials, misconfigs, and exposed secrets. It's cross-platform, privacy-first, and designed to help security teams understand the attack surface that modern supply chain adversaries are actively exploiting. Stay tuned for more exciting news about how Boost works to secure every part of the modern software factory (developer endpoints included).
TL;DR: Malicious code caching, dangling commits, pseudo-versions stealthily pointing to backdoors... Go makes you just as vulnerable as other ecosystems to social engineering attacks, and can even help malicious actors cover their tracks. Go enables new manipulation techniques to subtly trick users into downloading malicious packages. In this article, we describe various attack vectors in the Go ecosystem, from social engineering to well-known attacks such as repojacking, domain hijacking, and dependency confusion. Go's ecosystem guarantees integrity, not trust.
In our last post, we released the BoostSecurity Safe Package MCP server: a lightweight guardrail that lets coding agents check dependency safety before they install anything. That helps stop typosquats, malware-laced releases, and risky, unmaintained packages from ever reaching your machine.
Today, we’re taking the next step in developer supply-chain defense:
Poutine brings Model Context Protocol (MCP) superpowers to your editor/agent so it can analyze repos and build pipelines on demand, spot dangerous CI/CD coding patterns, and validate newly generated pipelines, all inline while you code.
BoostSecurity emerged from stealth last week with $12 million in seed money that CEO Zaid Al Hamami said will help them extend new development features for customers, hire more developers, and generally grow the business.
This article is part of a series about the security of the software supply chain. Each article will be analyzing a component of the Supply chain Levels for Software Artifacts (SLSA) model in depth, from the developer’s workstation all the way to the consumer side of the chain. The first article, published last week, was about protecting the Source code.
This article is part of a series about the security of the software supply chain. Each article will be analyzing a component of the Supply chain Levels for Software Artifacts (SLSA) model in depth, from the developer’s workstation all the way to the consumer side of the chain.
BoostSecurity, a developer-first DevSecOps automation platform, has secured $12m for its seed round, as it emerges from stealth.
Fresh startup BoostSecurity has an SaaS platform for developers and security teams that provides automated tools to shore up cybersecurity within the software supply chain.
