In a supply chain attack, the trending npm package, @ctrl/tinycolor, was in the target. Dastardly versions steal secrets through TruffleHog scanning.

"Each published package becomes a new distribution vector: as soon as someone installs it, the worm executes, replicates, and ...

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to ...

Investigations into the Nx "s1ngularity" NPM supply chain attack have unveiled a massive fallout, with thousands of account ...

The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel ...

Many open-source repositories contain privileged GitHub Actions workflows that execute untrusted code and can be triggered by attackers to expose credentials and access tokens, as MITRE and Splunk ...

Cybersecurity firms Tenable and Qualys fell to attacks stemming from hacker theft of authentication tokens from a third party ...

Scrubbing tokens from source code is not enough, as shown by the publishing of a Python Software Foundation access token with administrator privileges to a container image on Docker Hub. A personal ...

The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.

What if the Python programming language itself was malicious? It would be the most devastating supply chain attack in human history - but it almost happened after an important GitHub token was ...