A new self-replicating worm dubbed Shai-Hulud has compromised over 180 npm packages, stealing credentials and spreading ...
Shai-Hulud is the third major supply chain attack targeting the NPM ecosystem after the s1ngularity attack and the recent ...
On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated ...
Attackers abused GitHub Actions workflows to siphon off thousands of credentials from hundreds of npm and PyPI repositories.
The bundle.js script is designed to steal npm, GitHub, AWS and GCP tokens. But it also installs TruffleHog – an open source ...
Reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by Wormable Malware as part of a ...
A blog post by AI security company Invariant Labs shows that the official GitHub MCP server (Model Context Protocol) can invite prompt injection attacks. In a proof of concept, an attacker used a ...
Multiple high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat, were found to leak GitHub authentication tokens through GitHub Actions artifacts in CI/CD ...
Microsoft’s Copilot AI assistant is exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent and, ironically, ...
Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources. Senyo Simpson discusses how Rust's core ...
Results that may be inaccessible to you are currently showing.
Hide inaccessible results
Feedback