All news

supply-chain

(14 articles)

May 29, 2026

Sicoob NuGet Package Steals Banking Credentials

A malicious Sicoob NuGet package is stealing banking credentials while npm packages target cloud secrets. Here's what developers need to check right now.

May 23, 2026

Laravel-Lang PHP Packages Hit by Credential Stealer

Laravel-Lang PHP packages were compromised to deliver a cross-platform credential stealer. Here's what developers need to know and how to protect your apps.

May 15, 2026

node-ipc npm Package Compromised to Steal Credentials

Three malicious node-ipc versions exfiltrate cloud keys, SSH tokens, and CI/CD secrets via DNS TXT queries. Check your lockfiles now.

May 14, 2026

Stealer Backdoor Found in 3 Node-IPC Versions

A stealer backdoor was found in 3 Node-IPC versions targeting developer secrets. Learn what versions are affected and how to protect your supply chain.

PyTorch Lightning PyPI Package Drops Credential Stealer

May 4, 2026

PyTorch Lightning PyPI Package Drops Credential Stealer

PyTorch Lightning v2.6.3 on PyPI contained a hidden credential stealer targeting browsers, .env files, and cloud APIs. Here's what developers need to know.

Checkmarx KICS Supply-Chain Breach: What Devs Need to Know

April 23, 2026

Checkmarx KICS Supply-Chain Breach: What Devs Need to Know

Hackers trojanized Checkmarx KICS Docker images and VS Code extensions to steal cloud credentials, GitHub tokens, and SSH keys from developer environments.

GlassWorm Campaign Targets Developer IDEs via Zig Dropper

April 10, 2026

GlassWorm Campaign Targets Developer IDEs via Zig Dropper

The GlassWorm campaign uses a Zig-compiled dropper to infect developer IDEs. Learn how it works, what's at risk, and how to protect your dev environment.

Smart Slider 3 Pro Hijacked to Push Backdoored Updates

April 9, 2026

Smart Slider 3 Pro Hijacked to Push Backdoored Updates

Smart Slider 3 Pro version 3.5.1.35 was hijacked to push malicious WordPress and Joomla updates with hidden admin accounts and multi-layer backdoors.

36 Malicious npm Packages Exploited Redis and PostgreSQL to Deploy Persistent Implants

April 5, 2026

36 Malicious npm Packages Exploited Redis and PostgreSQL to Deploy Persistent Implants

36 rogue npm packages abused Redis and PostgreSQL connections to plant persistent backdoors. Here is what happened and how to protect your supply chain.

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

April 1, 2026

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic confirms Claude Code source was exposed via an npm packaging error. Here's what happened and how developers can protect their own packages.

Fake VS Code Alerts on GitHub Spread Malware to Developers

March 27, 2026

Fake VS Code Alerts on GitHub Spread Malware to Developers

A coordinated campaign is flooding GitHub Discussions with fake VS Code security alerts, tricking developers into downloading malware via Google Drive links.

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

March 24, 2026

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

A stealthy npm supply chain attack uses 7 malicious packages to harvest crypto wallet keys and credentials. Here's what developers need to know.

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

March 23, 2026

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean threat actors are exploiting VS Code auto-run tasks to silently deploy StoatWaffle malware. Here's what happened and how to protect your dev environment.

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

March 20, 2026

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Attackers hijacked 75 tags in Trivy's GitHub Actions repo to steal CI/CD secrets. Here's what happened and how to protect your pipelines.