Multiple npm supply chain attacks used 50+ poisoned packages to spread IronWorm, a Rust-based stealer, and a Miasma worm ...

The Miasma supply chain campaign has sparked a fresh attack wave called Hades, this time involving 37 malicious wheel ...

Jake Peterson is Lifehacker’s Tech Editor, and has been covering tech news and how-tos for nearly a decade. His team covers all things technology, including AI, smartphones, computers, game consoles, ...

If reinstalling software feels repetitive, these tools have some ideas.

Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud ...

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...

A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and ...

A sneaky IAB operation uses a malicious traffic distribution system (TDS) to redirect visitors of trusted websites to ones ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

Lazarus Group has deployed RemotePE, a fully memory-resident trojan that is extremely hard for traditional antivirus and forensic tools to detect.

Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771 ...