Blog
Threat intel
Patch Tuesday: April 2026 (Expel’s version)We're highlighting two critical CVEs, and we're also reviewing the Axios npm compromise from the end of March.
Rapid response | 1 min read
More supply chain compromises: Namaste, xinference, and moreSupply chain attacks are stealing cloud credentials via npm and PyPI. Here's what happened and what to do right now.
Threat intel | 21 min read
Inside Lazarus: How North Korea uses AI to industrialize attacks on developersExpel is tracking a North Korean (DPRK) state-sponsored APT group. This group is targeting Web3 developers to steal cryptocurrency and NFTs.
Rapid response | 1 min read
OAuth hijacked: How a third-party breach hit VercelA compromised third-party app gave attackers OAuth access to Vercel. Here's what Expel found hunting across customer environments—and what to do now.
Threat intel | 5 min read
Anthropic Mythos didn’t break your security. It found what was already broken.Anthropic Mythos didn't create new vulnerabilities. It just made them cheaper to find. Here's what defenders need to know.
Threat intel | 1 min read
Revisiting sound guidance: Countering the heightened threat of device code phishingDevice code authentication phishing bypasses MFA by exploiting a legitimate Microsoft feature. Here's how the attack works and how to stop it.
Threat intel | 4 min read
InstallFix: Not the application you were looking forInstallFix is a new watering hole attack we're seeing, and it leverages Claude Code as the lure. Here's what you need to know.
Threat intel | 3 min read
Patch Tuesday: April 2026 (Expel’s version)We're highlighting two critical CVEs, and we're also reviewing the Axios npm compromise from the end of March.
SOC | 9 min read
Why AI won’t replace your security team (and what it will do instead)AI won't replace your security team, but it'll change what the job looks like. Here's what AI can and can't do in a SOC, and what skills matter most.
MDR | 6 min read
Why identity security is a verb, not a nounIdentity security doesn't end at login. See how attackers bypass MFA, steal sessions, and why continuous post-authentication detection is non-negotiable.
Current events | 5 min read
What RSAC 2026 actually taught usWhat RSAC 2026 actually surfaced: AI hype fatigue, a broken value conversation in security services, and an attack surface most teams aren't watching.
Rapid response | 2 min read
Security alert: Axios npm supply chain attackThe Axios npm package suffered a supply chain attack from March 30-31. The malicious packages are no longer active, but here's what you need to know.
Product | 3 min read
What we built: March 2026In March, Expel shipped four new features and one new integration we're sharing with you, including our new Mimecast email integration.