A threat group planted a malicious npm package in a crypto trading project through an AI-generated commit by Anthropic's ...

Malicious Lightning 2.6.2/2.6.3 released April 30 enable credential theft via hidden payload, leading to PyPI quarantine and ...

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary ...

In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million ...

A critical vulnerability in the Cline Kanban server has been disclosed that allows any website a developer visits to silently ...

GitHub facades and Ethereum smart contracts power a March 2026 admin-targeted campaign, enabling resilient C2 rotation and ...

A new supply chain attack has hit the popular Python framework PyTorch Lightning. The attack allowed hackers to publish ...

Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious ...

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering ...

Researchers say the campaign targeted developer credentials and cloud secrets while abusing trusted publishing and AI coding ...