Researchers say the campaign uses a browser-based JavaScript VM to hide credential theft and intercept MFA at scale.

A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a ...

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm ...

Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code ...

Fake OpenAI Privacy Filter hit #1 on Hugging Face with 244,000 downloads, spreading infostealer malware to Windows users.

A North Korean APT has crafted malicious software packages to appeal to AI coding agents, while ‘slopsquatting’ shows the ...

Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login ...

Over 170 TanStack, Mistral AI, OpenSearch, UiPath, and other packages were affected in a new Mini Shai-Hulud supply chain ...

Minecraft, created by Markus "Notch" Persson long before it became the most successful game of all time and a $2bn payday to Microsoft, was written in Java. Notch obfuscated the code to prevent others ...

Attackers performed an email takeover attack on a dormant maintainer account and published new node-ipc versions containing ...

Hundreds of npm packages infected by the self-propagating, credential-stealing worm from TeamPCP are related to the open ...

Four npm packages linked to SAP's Cloud Application Programming Model were hijacked. The hackers added code that steals ...