Over 170 TanStack, Mistral AI, OpenSearch, UiPath, and other packages were affected in a new Mini Shai-Hulud supply chain ...

A security researcher’s decompilation of the White House’s official mobile app uncovered hidden GPS tracking, insecure code practices, and risky third‑party dependencies. The app transmits location ...

A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a ...

In the first five months of 2026, security researchers have flagged more malicious packages on the npm registry than in all ...

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom ...

Malicious Lightning 2.6.2/2.6.3 released April 30 enable credential theft via hidden payload, leading to PyPI quarantine and ...

GitHub facades and Ethereum smart contracts power a March 2026 admin-targeted campaign, enabling resilient C2 rotation and ...

Attackers have poisoned a code package on the npm registry in a novel way, hiding credential-stealing malware in steganographic QR codes embedded in a package purporting to offer a JavaScript utility.

A malicious npm package named Fezbox has been found using an unusual technique to conceal harmful code. The package employs a QR code as part of its obfuscation strategy, ultimately aiming to steal ...

A newly-discovered malicious package with layers of obfuscation is disguised as a utility library, with malware essentially hiding in plain sight in embedded QR codes. QR codes are ubiquitous these ...

ModStealer malware targets cryptocurrency wallets and is undetected by antivirus tools. ModStealer spreads via fake recruiter ads and steals data from 56 browser wallet extensions. The malware ...