A supply chain attack targeting the open-source tool Understand-Anything (57,000+ GitHub stars) hid an obfuscated payload in `homepage/astro.config.mjs` via pull request #206, which executes automatic…
Eight days after the Miasma worm injected a 4.3 MB credential stealer into public GitHub repositories, 123 repositories across 56 accounts still carry the live dropper on 665 branches, according to a …
The Miasma software supply chain attack toolkit has been released as open source across multiple GitHub repositories, likely through compromised developer accounts. The toolkit enables attackers to ex…
A single unsigned commit to the `icflorescu/mantine-datatable` repository added six files, five of which serve as launchers that execute a 4.3 MB dropper at `.github/setup.js`. The dropper, obfuscated…
On June 3, 2026, attackers pushed malicious commits to the GitHub repository `icflorescu/mantine-datatable` and four sibling repos, planting a 4.3 MB payload from the Miasma worm family. The commit ad…
On June 1, 2026, an attacker exploited npm's trusted publishing mechanism to compromise 32 @redhat-cloud-services packages across 96 versions, injecting malicious preinstall hooks that execute a Bun-b…
A malicious npm package called `js-logger-pack` evolved through 29 versions into a full remote access trojan (RAT) named `MicrosoftSystem64` that exfiltrates stolen data to attacker-controlled Hugging…
A malicious npm package called `js-logger-pack` evolved through 29 versions on the registry from April 2026 into a full remote access trojan that deploys an 81 MB binary named `MicrosoftSystem64` on W…
Nine malicious npm packages impersonating Polymarket trading tools were published on May 20, 2026, by the account "polymarketdev," stealing cryptocurrency wallet private keys upon installation. The pa…
Three versions of the widely used npm package node-ipc (9.1.6, 9.2.3, and 12.0.1) were compromised on May 14, 2026, after an attacker took over the co-maintainer account "atiertant" and published mali…
Five typosquatting npm packages published by accounts named "superbase" and "micresoft" contain a hidden 4.5 MB ELF binary that executes automatically upon `npm install` and, through a hijacked `Sessi…
On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages, totaling 404 malicious versions, targeting major projects including the entire TanStack router…
SafeDep has released PMG, an open-source package guard that intercepts npm, pip, and cargo installs to block malicious packages before their post-install scripts execute. The tool, which can be synced…
The malicious npm package `node-env-resolve`, disguised as a lightweight environment configuration resolver, installs a full remote access trojan (RAT) on victim machines upon execution of `npm instal…
A malicious npm package named "exiouss" was published on May 1, 2026, by the account "loltestpad" as a rebranded version of the previously removed "godsplan" package, now bundling a PowerShell script …
The PyTorch Lightning deep-learning framework was compromised on PyPI, with versions 2.6.2 and 2.6.3 containing a credential-stealing worm called Shai-Hulud. The malware activates when Python code run…
"ixpresso-core," a malicious Windows Remote Access Trojan (RAT) published on npm and disguised as a WhatsApp-integrated AI agent. Once installed, it deploys persistent malware called "Veltrix" that st…