Open source package with 1 million monthly downloads stole user credentials

Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a ...

PyPI package with 1.1M monthly downloads hacked to push infostealer

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive ...
Blue Headlineq

GitHub’s Supply Chain Warning Is Really About Secret Theft, Not Just Bad Packages

GitHub says modern supply-chain attacks increasingly start with secret exfiltration from GitHub Actions, not just poisoned packages further downstream.
SecurityWeek

Bitwarden NPM Package Hit in Supply Chain Attack

The Bitwarden CLI NPM package compromise is tied to a Checkmarx supply chain attack and references the Shai-Hulud worm.
Cybernews

Checkmarx hit again, popular tools spreading credential-stealing malware

Checkmarx suffers a second supply chain attack in a month, resulting in hackers injecting credential-stealing malware into ...
The Hacker News

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Self-propagating npm worm steals tokens via postinstall hooks, impacting six packages and expanding supply chain attacks.
The Next Web

Anthropic, Google, and Microsoft paid AI agent bug bounties, then kept quiet about the flaws

Researchers hijacked Claude, Gemini, and Copilot AI agents via prompt injection to steal API keys and tokens. All three ...

The Most Ignored Practice In AI Coding: Test-Driven Development

What Cherny is describing, in engineering terms, is the operating principle behind test-driven development (TDD). TDD has ...
The Hacker News

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting ...
InfoQ

GitHub Integrates AI to Improve Accessibility Issue Management and Automate Feedback Triage

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...
Bleeping Computer

Cisco source code stolen in Trivy-linked dev environment breach

Cisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to ...