Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

A new report out today from cybersecurity company Forcepoint LLC’s X-Labs research team details a supply chain attack that ...

Microsoft flagged a Mistral AI hack as a supply-chain attack that hid malware in a fake AI library on PyPI. Here's what happened and what it means.

Attackers compromised the official Mistral AI Python package on PyPI along with hundreds of other widely-used developer ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to ...

The OWASP-backed tool scans JavaScript and TypeScript lockfiles locally, aiming to help developers catch and remediate dependency risks before CI failures.

President Donald Trump announced a new nominee for surgeon general on Thursday, withdrawing his nomination of Casey Means for the post and putting an end to the Make America Healthy Again activist’s ...

Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings ...

A GitHub employee installed a routine VS Code extension update, handed cybercrime group TeamPCP enough access to exfiltrate ...

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

Sen. Lisa Murkowski delivered the coup de grâce in ending the nomination of Casey Means, Health Secretary Robert F. Kennedy Jr.’s choice for surgeon general, Means told POLITICO Thursday. The Alaska ...