A supply chain attack was carried out against TanStack, a set of libraries widely used in JavaScript and React development, by releasing malware-infused versions of its npm packages. According to ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

Multiple npm supply chain attacks used 50+ poisoned packages to spread IronWorm, a Rust-based stealer, and a Miasma worm ...

On April 29, 2026, someone slipped malicious code into four widely used SAP software packages. Within days, the infection had spread to at least 169 packages across the npm registry, the world’s ...

TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as ...

This codebase, developed by Joey Takeda and Martin Holmes, provides a configurable, customizable tool which you can point at an XHTML5 document collection and have it generate a search page which ...

Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771 ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

When you hear "the dark web," you probably think of illegal, sordid activity, but that's not the whole picture. I don't recommend staying long, but these tips can help you explore the dark web using ...

Cybersecurity researchers at Aikido Security have uncovered a malicious supply chain attack targeting OpenAI Codex developers via the npm package “codexui-android”. While the associated GitHub ...