A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

Microsoft has had a VS Code extension for a long time, and it finally came back to bite them.

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

Google reported the first confirmed AI-assisted zero-day exploit, raising new concerns about logic flaws, supply chain risk, and containment.

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a dead-man's switch that nukes your system.

Google caught the first zero-day exploit built with AI assistance. Criminal and state backed hackers are using AI models to find vulnerabilities faster.

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to ...

A fake Claude code installer can successfully exfiltrate decrypted cookies, passwords and payment methods from Chromium browsers. Here's how.

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...