Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

A coordinated malware campaign known as TrapDoor has hit software ecosystems widely used by crypto and blockchain developers.

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a dead-man's switch that nukes your system.

GitHub confirms breach of 3,800 internal repos after employee installs poisoned VS Code extension - SiliconANGLE ...

GitHub CISO Alexis Wales confirmed Thursday that a poisoned build of the Nx Console Visual Studio Code extension — live on ...

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

GitHub has contained a breach involving unauthorized access to thousands of internal repositories, allegedly linked to a ...

The Microsoft-owed software developer platform, GitHub, has confirmed a third-party has gained unauthorized access to 3800 ...

Microsoft has had a VS Code extension for a long time, and it finally came back to bite them.

Cryptocurrency developers have become the focus of a new macOS-focused cyber campaign that uses fake recruiter approaches, malicious meeting links and compromised software pipelines to steal digital ...