Blog

Stream now collects and analyzes full API traffic via our eBPF sensor and cloud-native log ingestion, with threat detection running across all of it.

AI agents and tools won't scale security until the environment itself is modeled. Real context isn't enrichment — it's a live representation of state. That shift changes what tools, harnesses, and agents actually mean, and what StreamForce is built on.

A critical Linux kernel vulnerability (CVE-2026-31431, "Copy Fail") allows an unprivileged process to corrupt any file's in-memory copy without writing to disk. In Kubernetes, this means an attacker in one pod can inject malicious code into binaries used by other pods on the same node - without any special permissions, without container escape, and without leaving a trace on the filesystem. We validated this on a live EKS cluster and built runtime detection for it.

AI workloads are dynamic, abstracted, and deeply embedded into modern applications, making them hard to track with traditional security tools. This creates a growing “shadow AI” problem where models, agents, and tools operate without oversight. Our AI workload discovery solves this by continuously analyzing cloud-native logs and runtime signals to identify all AI components in your environment—including hosted services, models, tools, and MCP servers. Each component is correlated to the workload executing it, the identity behind it, and its behavior over time. By baselining this activity, security teams can quickly spot anomalies such as new models, unauthorized integrations, or unusual usage patterns. More importantly, this visibility feeds directly into detection and response, enabling full attack storylines that include the AI layer.

The cloud security industry has a blind spot , and it's hiding in plain sight. Most cloud detection and response solutions were built for one world: public cloud. AWS, Azure, GCP. Clean APIs, structured logs, well-documented services. But that's not the world many enterprises actually live in. The reality? Your attack surface doesn't stop at your cloud boundary. Workloads run on VMware. Traffic routes through on-prem to cloud, And adversaries know that the seams between environments are where detection falls apart. Today, we're closing that gap. Stream Security now delivers full attack path analysis and runtime threat detection across hybrid cloud environments, starting with VMware (including NSX), on-premises routers, and network infrastructure.

Hours ago, axios - one of the most popular npm packages with 60M+ weekly downloads - was compromised. Malicious versions dropped a multi-platform RAT with anti-forensic cleanup. This is the second major supply chain attack in a week, days after TeamPCP's Trivy/LiteLLM campaign. The CI/CD scanner side of this story is well-documented. This post is about what happens after the malware runs - because that's where most organizations actually fail.

TL;DR: A single compromised CI/CD token cascaded into the largest multi-ecosystem supply chain attack of 2026 - hitting GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI in under a week. LiteLLM - one of the most widely deployed AI/ML packages in cloud environments - was among the targets. Here's the full attack chain, what the malware does, and how to detect it in your cloud infrastructure.

Stream Security now supports native ingestion of OpenAI Platform audit logs, extending real-time threat detection and response to your AI control plane. Security teams gain immediate visibility into sensitive administrative activity across OpenAI Platform Organizations including API key lifecycle events, service account creation, identity and role changes, project configuration updates, and security control modifications like IP allowlists and SCIM. The integration is agentless, easy to enable, and provides out-of-the-box detections so teams can investigate and respond faster from a unified cloud security platform.

AI oversight collapsed in steps as systems became "good enough." We got speed but lost resilience. Errors now accumulate silently and surface after dependencies compound. Adding more AI to the SOC accelerates this problem. The fix is architectural: a continuously updated model of your environment that knows what's true now.

CrowdStrike’s latest announcement around “real-time Cloud Detection and Response” is an important signal. It confirms what the market already knows: cloud security can no longer tolerate multi-minute blind spots. Enabling detections inline, before logs are written to the database, is objectively and definitely progress. It means that detection is no longer dependent on storage or ingestion delays. ‍