Aviator Predictor Malware
Aviator Predictor-style apps can be used as fake crypto and crash-game tools.…
Gogs RCE Zero-Day: Check Open Registration
Rapid7 disclosed a critical unpatched Gogs RCE path. Check open registration, repository…
TrapDoor Hits npm, PyPI and Crates.io With AI Config Poisoning
TrapDoor spreads malicious packages through npm, PyPI and Crates.io, steals developer secrets,…
Megalodon GitHub Actions Malware
Megalodon injected malicious GitHub Actions workflows into 5,561 repositories. Here is what…
Deno RAT Fake Downloads
Malwarebytes found fake GitHub and SourceForge downloads impersonating ChatGPT, Claude, AutoTune, and…
npm Staged Publishing: What Maintainers Should Change Now
npm CLI 11.15.0 adds staged publishing and new install-source controls. Here is…
Packagist Postinstall Malware: What Developers Should Check
A Packagist and GitHub supply-chain campaign used malicious postinstall hooks to fetch…
GitHub Internal Repos Exposed Through Poisoned VS Code Extension
GitHub says an employee device was compromised through a poisoned VS Code…
Shai-Hulud AntV npm Supply-Chain Wave: What Developers Should Check
Shai-Hulud returned in an AntV npm supply-chain wave affecting hundreds of packages.…
Mini Shai-Hulud Hits TanStack npm Packages With Signed Malware
Mini Shai-Hulud abused trusted publishing to ship malicious TanStack npm packages with…
Checkmarx Jenkins Plugin Compromise Put CI Secrets at Risk
A rogue Checkmarx AST Scanner Jenkins plugin release put CI/CD source code…
Operation HookedWing Phishing Hit 500+ Organizations
Operation HookedWing used GitHub Pages, compromised servers, and staged redirects to target…