Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, ...
ActiveState explains how GitHub Actions attack chains can evade traditional CI security scanners, why passing a scan doesn't ...
North Korean threat actors are escalating the PolinRider supply chain attack across Go, Packagist, and npm package ...
According to researchers at cybersecurity companies Sekoia and YesWeHack, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.
The researchers have discovered 8 repositories with critical misconfigurations that could lead to supply chain compromise ...
Hackers created a fake trading bot for Polymarket’s prediction markets on GitHub. The bot was used to spread malware that ...
The Weaviate incident in 2025 illustrated this clearly. A researcher discovered an exposed OpenAI API key in a public repository. When tested, the key returned a quota exhaustion error, indicating ...
Lazarus Group concealed a four-module remote access toolkit inside six fake npm Rollup polyfill packages that fired at import ...
Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI ...
Cybersecurity researchers at Kaspersky have identified more than 250,000 potential security misconfigurations across GitHub ...
Cybersecurity firm Novee has identified a GitHub Actions workflow-chain risk that can expose secrets even when checks pass, ...