All news

supply chain attack

(29 articles)

June 1, 2026

Miasma Attack Hits Red Hat npm Packages

The Miasma supply chain attack compromised Red Hat npm packages with a credential-stealing worm. Here's what developers need to know and do right now.

June 1, 2026

OpenAI Codex Tokens Stolen in npm Supply Chain Attack

Malicious npm package codexui-android stole OpenAI Codex authentication tokens. Here's what developers need to know and how to protect your projects.

May 27, 2026

Malicious npm Package Stole Claude AI Files via GitHub

A malicious npm package silently exfiltrated files from Claude AI's user directory and uploaded them to GitHub. Here's how it worked and what to do.

May 27, 2026

GlassWorm Malware Takedown Hits Supply Chain

GlassWorm malware infrastructure has been dismantled, exposing how developer supply chain attacks operated. Here's what you need to know to stay protected.

May 23, 2026

Laravel Lang Packages Hijacked: Credential Malware

Attackers hijacked Laravel Lang Composer packages via tag rewrites to deploy a cross-platform credential stealer. Here's what happened and how to respond.

May 22, 2026

Megalodon GitHub Attack Hits 5,561 Repos via CI/CD

The Megalodon GitHub attack injected malicious CI/CD workflows into 5,561 repos. Learn how it works and how to protect your pipelines now.

May 21, 2026

GitHub Repos Breached via Malicious Nx Console Extension

A malicious Nx Console VS Code extension was used to breach GitHub internal repositories. Here's how the attack worked and what developers must do now.

May 20, 2026

Grafana GitHub Breach: TanStack npm Attack Exposed

Grafana's GitHub was breached via a malicious TanStack npm package. Learn how the supply chain attack worked and how to protect your repositories.

May 19, 2026

Nx Console 18.95.0: Compromised VS Code Extension

Nx Console 18.95.0 was hijacked to steal developer credentials via VS Code. Learn what happened, who's at risk, and how to protect your environment now.

May 19, 2026

GitHub Action Tags Hijacked to Steal CI/CD Secrets

Popular GitHub Action tags were redirected to imposter commits designed to steal CI/CD credentials. Here's how the attack works and how to protect your pipelines.

May 19, 2026

Malicious AntV npm Packages via Hijacked Account

Mini Shai-Hulud pushed malicious AntV npm packages through a compromised maintainer account. Here's what developers need to know to stay protected.

May 13, 2026

GemStuffer Hijacks 150+ RubyGems to Steal UK Data

GemStuffer abused over 150 RubyGems packages to exfiltrate scraped UK council portal data. Here's how the attack works and what Ruby devs must do now.

Shai-Hulud Worm Hits TanStack, Mistral AI Packages

May 12, 2026

Shai-Hulud Worm Hits TanStack, Mistral AI Packages

The Mini Shai-Hulud worm has compromised TanStack, Mistral AI, Guardrails AI and more. Learn what's affected and how to protect your dependencies now.

May 11, 2026

Checkmarx Jenkins Plugin Hit in Supply Chain Attack

TeamPCP compromised the Checkmarx Jenkins AST Plugin weeks after the KICS supply chain attack. Here's what developers need to know to protect their pipelines.

PyTorch Lightning Supply Chain Attack Steals Creds

April 30, 2026

PyTorch Lightning Supply Chain Attack Steals Creds

PyTorch Lightning and intercom-client were hit in coordinated supply chain attacks. Here's how the credential theft worked and what developers must do now.

SAP npm Packages Hit in Credential-Stealing Attack

April 29, 2026

SAP npm Packages Hit in Credential-Stealing Attack

Malicious SAP-related npm packages were caught stealing credentials in a supply chain attack. Here's what developers need to check right now.

Bitwarden CLI npm Package Compromised to Steal Credentials

April 23, 2026

Bitwarden CLI npm Package Compromised to Steal Credentials

The Bitwarden CLI npm package was backdoored for 90 minutes on April 22, 2026. Learn what was stolen, how it spread, and what developers must do now.

Bitwarden CLI Hit by Checkmarx Supply Chain Attack

April 23, 2026

Bitwarden CLI Hit by Checkmarx Supply Chain Attack

The Bitwarden CLI is being targeted in an active Checkmarx supply chain campaign. Learn what's at risk and how to protect your build pipeline now.

npm Supply Chain Worm Steals Developer Tokens

April 22, 2026

npm Supply Chain Worm Steals Developer Tokens

A self-propagating worm is hijacking npm packages to steal developer tokens. Learn how it spreads and what you can do to protect your projects now.

Anthropic MCP Flaw Enables RCE and AI Supply Chain Risk

April 20, 2026

Anthropic MCP Flaw Enables RCE and AI Supply Chain Risk

A design vulnerability in Anthropic's MCP protocol enables remote code execution, putting AI supply chains at serious risk. Here's what developers need to know.

Taboola Routes Banking Sessions to Temu: What's at Risk

April 16, 2026

Taboola Routes Banking Sessions to Temu: What's at Risk

Taboola's ad scripts are routing logged-in banking session data to Temu servers. Here's what developers need to know and how to stop it now.

WordPress EssentialPlugin Suite Hacked to Push Malware

April 15, 2026

WordPress EssentialPlugin Suite Hacked to Push Malware

30+ WordPress plugins in the EssentialPlugin package were backdoored to push malware via updates. Here's what happened and how to protect your site.

108 Malicious Chrome Extensions Steal User Data

April 14, 2026

108 Malicious Chrome Extensions Steal User Data

108 malicious Chrome extensions were caught stealing Google and Telegram credentials from 20,000 users. Here's how they work and how to protect yourself.

OpenAI Revokes macOS Certificate After Supply Chain Attack

April 13, 2026

OpenAI Revokes macOS Certificate After Supply Chain Attack

OpenAI revoked its macOS app certificate after a malicious Axios supply chain incident exposed users to tampered builds. Here's what developers need to know.

LiteLLM Flaw Turns Dev Machines Into Credential Vaults

April 6, 2026

LiteLLM Flaw Turns Dev Machines Into Credential Vaults

A critical LiteLLM vulnerability exposed developer machines as credential vaults for attackers. Learn how it works and how to protect your AI toolchain now.

CERT-EU: European Commission Hack Exposes Data of 30 EU Entities

April 3, 2026

CERT-EU: European Commission Hack Exposes Data of 30 EU Entities

TeamPCP breached the European Commission's AWS environment using a stolen API key, exposing data from 30+ EU entities. Here's how it happened and what devs must do.

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

April 1, 2026

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Google links the Axios npm supply chain attack to North Korean threat group UNC1069. Here's what happened and how developers can protect their code.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

March 31, 2026

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

A compromised npm account pushed a cross-platform RAT through the Axios package. Here's what happened and how developers can protect their supply chain.

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

March 24, 2026

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

TeamPCP compromised Checkmarx GitHub Actions pipelines using stolen CI credentials - here is what happened and how to lock down your own pipelines.