A single developer. One poisoned extension. Five supply chain surfaces compromised in 48 hours. And a threat group claiming ...

The security platform Socket has recently discovered an enormous worldwide malware operation that has been dubbed "TrapDoor".

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.

Another massive supply chain attack is spreading. Hundreds of compromised NPM packages are being detected, with hackers using stolen secrets to create over 2,200 public GitHub repositories, all ...

Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a ...

Experts reveal "CopyFail" flaw affecting Linux distros All Linux kernels released after 2017 are vulnerable Users urged to patch now or risk account takeover Security experts have warned of a major ...

The discoverers have named the root vulnerability "Copy Fail". All major distributions since 2017 are affected.

Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that's functional on ...