
.avif)
Software Supply Chain Security News
Stay up to date with the latest software supply chain security incidents, including malicious packages, dependency attacks, and real-world breaches. We break down what happened, why it matters, and what developers should fix to stay ahead.

Multiple JetBrains IDE plugins caught stealing AI keys
A coordinated campaign of at least 15 JetBrains IDE plugins, published under seven vendor accounts, exfiltrates the AI provider API key you paste into their settings.

Compromised Rust crate onering performs code exfiltration
The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.
.jpg)
10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums
Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.
GlassWorm goes native: New Zig dropper infects every IDE on your machine
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
Aikido Attack finds multiple 0-days in Hoppscotch
Aikido’s AI pentesting agents discovered multiple high-severity vulnerabilities in Hoppscotch, including account takeover, stored XSS, and access control flaws. All issues are now patched.
axios compromised on npm: maintainer account hijacked, RAT deployed
Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.
Popular telnyx package compromised on PyPI by TeamPCP
The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
TeamPCP deploys CanisterWorm on NPM following Trivy compromise
GlassWorm Hides a RAT Inside a Malicious Chrome Extension
GlassWorm deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data via Solana-based C2.
fast-draft Open VSX Extension Compromised by BlokTrooper
The fast-draft Open VSX extension was compromised to deploy a BlokTrooper RAT and infostealer via GitHub-hosted payloads. Multiple malicious versions identified.
Glassworm Strikes Popular React Native Phone Number Packages
Aikido Security researchers recovered and decrypted the full payload chain from two malicious React Native packages. Here's what the malware does and what to look for.
Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositories, plus npm packages and VS Code extensions.
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

