GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS ...

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. The node-ipc ...

The TeamPCP hacking group has released the Shai-Hulud worm’s source code and is challenging miscreants to use it in attacks.

Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

A supply chain attack on SAP-related npm packages has put fresh scrutiny on the developer tools and build workflows that enterprises rely on to produce software. The campaign, referred to as “mini ...

Microsoft has had a VS Code extension for a long time, and it finally came back to bite them.

Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

Google has patched an Android ADB bug in the May security patch set. If you have a Pixel phone you should already have the patches, and most other major manufacturers should be close behind.

Claude’s Computer Use feature can do something an ordinary chatbot cannot. It can open a terminal on your computer and install software on your behalf, including packages pulled straight from npm, the ...

North Korea-linked hackers have upgraded the InvisibleFerret malware to bypass script-based security tools, converting its Python code into compiled modules that are harder for defenders to inspect ...

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ...