A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

Perplexity launches Bumblebee: How its new read-only dev scanner differs from Chainguard ...

Sometime in late May 2026, a poisoned update slipped into the @antv family of JavaScript visualization libraries, the ...

GlassWorm poisoned 300 GitHub repositories since 2025, enabling supply chain attacks against developers and organizations.

MESCIUS USA, Inc., a global provider of award-winning enterprise software development tools, is pleased to announce a new product for the Document Solutions product line: Document Solutions PDF JS.

Malicious packages across npm, PyPI, and Crates.io show how poisoned developer workflows can become a route into enterprise systems.

Bumblebee from Perplexity scans developer machines for compromised packages and AI tool configs, without triggering malware.

The malware employs ecosystem-specific techniques for execution. On npm, many packages use post-install hooks to deploy a comprehensive JavaScript payload ...

Developer platform Socket says a malware called TrapDoor is targeting crypto and AI developers across npm, PyPI and Crates, aiming to steal crypto wallet info and browser data.

GitHub CISO Alexis Wales confirmed Thursday that a poisoned build of the Nx Console Visual Studio Code extension — live on ...

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.