Hello test,

Supply chain attacks are getting smarter, and attackers are now using AI to write and spread malware through packages your developers trust.

This month covers where that's showing up, a governance framework to get ahead of August's EU AI Act enforcement, and a webinar on May 28 on governing dependency exposure at scale.

What's new

AI Security Governance: A Practical Framework

The EU AI Act's enforcement provisions go live in August 2026, and most teams can't yet prove what AI they're running, who owns it, or how risk is classified. Mend.io's AI Security Governance Framework covers building an AI asset inventory, applying a risk classification model, and generating the compliance evidence regulators now require. Built for actual governance reviews, not background reading.

👉 Download the AI Security Governance Framework

Complete Guide to Open Source & AI Licensing

Using a model with open weights is not the same as using open source software, and the compliance obligations depend on how you're delivering it. This guide covers the highest-risk licensing scenarios in 2026, how copyleft behaves differently with AI delivery models, and a practical compliance workflow across code, model artifacts, datasets, and deployment. Relevant for engineering, legal, and security teams who share responsibility for license risk.

👉 Get the Complete Guide to Open Source & AI Licensing

Live webinar

When software becomes business risk: governing dependency exposure at scale

May 28 | 11:00 AM ET

Dependency risk looks like a never-ending technical problem. This session reframes it as a business risk conversation and walks through what proactive governance looks like at scale, not just patching faster but establishing supply chain visibility across your whole portfolio. 

👉 Register now

Where risk is showing up

Anthropic’s Project Glasswing: How Claude Mythos is Changing the Rules for AppSec

Anthropic's Claude Mythos Preview autonomously found a 27-year-old vulnerability in OpenBSD and a 16-year-old flaw in FFmpeg that automated tools had run past five million times without flagging. Project Glasswing, backed by AWS, Microsoft, Google, and CrowdStrike, is putting those same capabilities to work for defense before attackers get there first. If your program is still built around slow-cycle scanning and a remediation queue measured in weeks, read this.

👉 Read what Project Glasswing means for your security program

A backlog full of findings is exactly the window attackers need

AI-assisted attacks move at development speed. Findings that sit in a queue for weeks create the exposure window attackers are looking for. Mend.io surfaces automated SAST fix suggestions for Java, JavaScript/TypeScript, and C# directly inside GitHub pull requests. Developers apply the fix with a single click, before code reaches review, not three sprints later.

👉 See how one-click remediation works

“When talking about security, improvement is hard to measure. We haven’t had a security breach yet, and it’s probably because we use products like Mend.io…I would say it reduced the vulnerabilities in production by about 80 percent. When we have a release or run the script, it automatically picks up the vulnerabilities.”

Kieran Whelan

Principal Security Engineer
texthelp

👉 See how teams use Mend.io

Popular reads

• PhantomRaven Wave 5: 33 malicious NPM packages targeting DeFi, cloud, and AI developers

• Shai-Hulud strikes SAP: supply chain worm weaponized Claude Code to compromise the CAP framework

• The Butlerian Jihad: compromised Bitwarden CLI deploys npm worm and poisons AI assistants

• CVE-2026-31431 (Copy Fail): Linux Kernel LPE, mitigate before patching

Mend.io secures the code layer and the AI layer, and continuously protects the interaction between them, where modern risk emerges.

Send to a Friend ·  View this Online ·  Manage your preferences ·  Unsubscribe

Mend.io: 4 Ariel Sharon St, Givatayim 532004, Israel