GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

A coordinated malware campaign known as TrapDoor has hit software ecosystems widely used by crypto and blockchain developers.

Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and ...

Microsoft confirmed on May 14 that CVE-2026-42897 — a cross-site scripting flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition — is under active ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

Asentum, a next-generation Layer-1 blockchain built from the ground up with post-quantum security, today announced the official launch of its native token presale for $ASE. The presale is scheduled to ...

Yimutian Inc. (Nasdaq: YMT) (“Yimutian” or the “Company”), a leading AI-driven agricultural digital service company in China, today announced that its WolaiCai AI ...

Developer platform Socket says a malware called TrapDoor is targeting crypto and AI developers across npm, PyPI and Crates, aiming to steal crypto wallet info and browser data.

The PureLogs module targeted a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, ...

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack ...

The world’s largest open-source registry, node package manager (npm), has been hit by another fast-moving malware attack, ...