A threat group planted a malicious npm package in a crypto trading project through an AI-generated commit by Anthropic's ...

Malicious Lightning 2.6.2/2.6.3 released April 30 enable credential theft via hidden payload, leading to PyPI quarantine and ...

In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million ...

A critical vulnerability in the Cline Kanban server has been disclosed that allows any website a developer visits to silently ...

GitHub facades and Ethereum smart contracts power a March 2026 admin-targeted campaign, enabling resilient C2 rotation and ...

A new supply chain attack has hit the popular Python framework PyTorch Lightning. The attack allowed hackers to publish ...

Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.

Researchers say the campaign targeted developer credentials and cloud secrets while abusing trusted publishing and AI coding ...

A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain ...

Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code ...

Four SAP NPM packages compromised in the Mini Shai-Hulud supply chain attack trigger a Bun runtime to install an information ...