.avif)
Software Supply Chain Security News
Stay up to date with the latest software supply chain security incidents, including malicious packages, dependency attacks, and real-world breaches. We break down what happened, why it matters, and what developers should fix to stay ahead.
Popular PyTorch Lightning Package Compromised by Mini Shai-Hulud
Malware found in popular PyTorch Lightning version 2.6.2 and 2.6.3, stealing credentials, crypto wallets, and VPN configs as part of the Mini Shai-Hulud campaign.
Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files
A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.
duckdb npm packages compromised
The popular package duckdb was compromised by same attackers that hit debug and chalk
npm debug and chalk packages compromised
The popular packages debug and chalk on npm have been compromised with malicious code
Without a Dependency Graph Across Code, Containers, and Cloud, You’re Blind to Real Vulnerabilities
Stop drowning in CVEs. Without a dependency graph across code, containers, and cloud, you’ll miss real vulnerabilities and chase false positives
Popular nx packages compromised on npm
The popular nx package on npm was compromised, and stolen data was published on GitHub publicly
WTF is Vibe Coding Security? Risks, Examples, and How to Stay Safe
Vibe coding is the new AI coding trend where anyone can spin up an app in hours. But from Replit’s database wipe to exposed tea apps, the risks are real. Learn what vibe coding security means, the difference from agentic coding, and how CISOs can keep the vibes without the vulnerabilities.
A deeper look into the threat actor behind the react-native-aria attack
We investigate the activity of the threat actor that compromised react-native-aria packages on npm, and how they are evolving their attacks.
Malicious crypto-theft package targets Web3 developers in North Korean operation
Aikido Security uncovers a North Korean-linked supply chain attack using the fake npm package web3-wrapper-ethers to steal private keys from Web3 developers. Linked to Void Dokkaebi, the threat actor mirrors past DPRK crypto theft operations. Learn how the attack worked and what to do if you're affected.
Active NPM Attack Escalates: 16 React Native Packages for GlueStack Backdoored Overnight
A sophisticated supply chain attack is actively compromising packages related to react-native-aria on NPM, deploying a stealthy Remote Access Trojan (RAT) hidden through obfuscation and spreading across modules with over a million weekly downloads.
You're Invited: Delivering malware via Google Calendar invites and PUAs
Threat actor used malicious Google Invites and hidden Unicode “Private Use Access” characters (PUAs) to brilliantly obfuscate and hide a malicious NPM package.
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
Get secure now
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
