TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious ...

Aikido Security Ltd. today disclosed what is being described as the largest npm supply chain compromise to date, after attackers injected malware into 18 popular packages that together account for ...

Security researchers discovered over 400 malicious packages in the popular open source registry npm in December, and dozens more in PyPI. Sonatype explained in a blog post that its AI tooling spotted ...

OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and ...

Four npm packages linked to SAP's Cloud Application Programming Model were hijacked. The hackers added code that steals ...

Security researchers have uncovered another large-scale, coordinated attack on the npm ecosystem, using worm-like techniques to spread spam packages. Dubbed “IndonesianFoods” due to the unique naming ...

A self-replicating malware is worming its way into open source software components. The malware's name is "Shai-hulud," presumably taking its name from the Dune sandworms, and it's particularly ...

For a few critical days at the end of April 2026, thousands of developers building SAP integrations unknowingly handed their ...

Forbes contributors publish independent expert analyses and insights. A serious security breach has sent shockwaves through both everyday online services and the cryptocurrency world. At the center is ...

A significant percentage of the 50,000 most-downloaded npm packages are deprecated or have a deprecated dependency but provide no warning. Security researchers warn that many npm packages are being ...