Codex tokens were exfiltrated via a popular npm package, affecting users since v0.1.82 and enabling persistent account access ...

A single npm user on Thursday published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries, according to ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

Perplexity launches Bumblebee: How its new read-only dev scanner differs from Chainguard ...

GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and ...

The Mini Shai-Hulud worm has resurfaced in one of its largest single-registry waves to date, hitting hundreds of npm packages ...

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.

On May 19, the Mini Shai-Hulud worm compromised one npm maintainer account and pushed 639 malicious versions across 323 ...

Mini Shai-Hulud npm campaign compromises @antv packages, targeting blockchain developers' GitHub tokens, AWS keys, and CI/CD secrets in a coordinated supply chain attack.