Modern software is mostly other people's code. A typical application pulls in hundreds of open-source packages, each pulling in more, and every one runs with the trust of the app that imports it. Attackers noticed.
Instead of breaking into a company, they poison something the company already installs and let the build do the rest. One compromised package can reach every project that depends on it.
It has played out again and again: malicious packages published to public registries, legitimate projects taken over and backdoored, dependency confusion that tricks a build into pulling a hostile version, typosquatted names waiting for a developer's slip.
The reason it works is trust inheritance. A package manager does not know a maintainer was compromised, and a build script does not know a name was typosquatted, so the malicious code is trusted the moment it lands.
Most security still watches the perimeter and the running app. This arrives earlier, inside the software, before anything is deployed.
Defending that chain is not one check at one gate. It runs from what enters the build, through what gets produced, to the first-party code written on top. That is a useful way to read this year's winners.
Start at intake. ActiveState won in Open Source Security for maintaining vetted versions of popular open-source packages, so teams install from a controlled source instead of pulling straight from a public registry.
Then the artifact itself: ReversingLabs won in Software Supply Chain Security for scanning built packages and binaries, catching a dependency that was clean at source but malicious after a maintainer takeover or a poisoned release, the kind of tampering source-level scanning never sees. And because dependencies do not hold still, CleanStart Security won in the same category for showing teams which components carry known risk or have quietly changed hands, before the next build ships them.
Even with a clean dependency graph, the code a team writes on top still has to hold. AISLE won for an AI-native application security platform that finds and helps fix flaws in first-party code at the speed teams ship.
HoundDog was recognized for a privacy code scanner that catches sensitive data leaking through code before production, where it becomes credential exposure or customer-data leakage, not just a compliance problem later.
The supply chain reframes the basic question. It is no longer only whether your code is secure, but whether you can trust what it is made of, where those pieces came from, and what changed before release.
No single tool closes the chain, which is why the winners sit at different links of it. The honest goal is to narrow where you place trust, not to pretend you can stop inheriting it.
Trust a build that pulls code automatically, and you trust every maintainer upstream. The most dangerous code in your environment may be code you never wrote.
The complete list of 2026 Cybersecurity Stars Awards winners is live at awards.thehackernews.com/winners/2026.
Part of The Stars Briefing, our editorial series on the trends behind the 2026 Cybersecurity Stars Awards, a program The Hacker News runs. This piece analyzes where the field is moving and uses the winners as examples. It is not a product review.