OptinMonster CDN Backdoor Checks
WordPress sites using OptinMonster, TrustPulse, or PushEngage should check for rogue admin…
TrapDoor Hits npm, PyPI and Crates.io With AI Config Poisoning
TrapDoor spreads malicious packages through npm, PyPI and Crates.io, steals developer secrets,…
Packagist Postinstall Malware: What Developers Should Check
A Packagist and GitHub supply-chain campaign used malicious postinstall hooks to fetch…
Laravel-Lang Composer Packages Rewritten to Steal CI Secrets
Laravel-Lang Composer packages were compromised through rewritten tags that run a PHP…
Grafana Says Missed Token Let Attackers Copy Private Repos
Grafana says attackers copied two private GitHub repositories after one workflow token…
GitHub Internal Repos Exposed Through Poisoned VS Code Extension
GitHub says an employee device was compromised through a poisoned VS Code…
Shai-Hulud AntV npm Supply-Chain Wave: What Developers Should Check
Shai-Hulud returned in an AntV npm supply-chain wave affecting hundreds of packages.…
node-ipc npm Package Compromised With Credential Stealer
Malicious node-ipc versions 9.1.6, 9.2.3, and 12.0.1 were published to npm with…
RubyGems Pauses Signups After Malicious Package Attack
RubyGems disabled new account registration after reports of hundreds of malicious packages,…
Mini Shai-Hulud Hits TanStack npm Packages With Signed Malware
Mini Shai-Hulud abused trusted publishing to ship malicious TanStack npm packages with…
Checkmarx Jenkins Plugin Compromise Put CI Secrets at Risk
A rogue Checkmarx AST Scanner Jenkins plugin release put CI/CD source code…
Fake OpenAI Hugging Face Repo: Infostealer Warning
HiddenLayer says a fake OpenAI-themed Hugging Face repository copied a privacy-filter model…