According to Socket, malicious payment SDK packages on npm and PyPI are harvesting developer credentials and CI/CD ...
ActiveState explains how GitHub Actions attack chains can evade traditional CI security scanners, why passing a scan doesn't ...
The FBI warned that TeamPCP software supply chain attacks targeted developer tools to steal cloud credentials, SSH keys, and ...
Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based code analysis systems into overlooking malicious payloads. Threat actors ...
GitHub disabled 73 Microsoft repositories after a Miasma supply chain attack. Malicious commits targeted AI coding tools, VS Code, and developer workstations. Developers should rotate credentials if ...
GitHub CISO Alexis Wales confirmed Thursday that a poisoned build of the Nx Console Visual Studio Code extension — live on Microsoft's official Visual Studio Marketplace for just 18 minutes on May 18 ...
GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and ...
Microsoft has identified an active supply chain attack targeting the @antv node package manager (npm) package ecosystem. A threat actor compromised an @antv maintainer account and published malicious ...
The most popular impacted package is size-sensor, downloaded 4.2 million times per month, followed by echarts-for-react (3.8 million), @antv/scale (2.2 million) and timeago.js (1.15 million). The ...
Over 170 packages across multiple high-profile NPM and PyPI projects were compromised in a new, coordinated Mini Shai-Hulud software supply chain attack. The campaign hit 42 TanStack packages, 65 ...
Hugging Face and ClawHub, the two largest repositories for AI models and agent skills, have been systematically compromised with hundreds of malicious entries that steal credentials, open backdoors, ...