July 2026, blocking install scripts, Git dependencies, and remote URL sources by default. Every team running npm install in ...

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, ...

GitHub disabled 73 repositories across four Microsoft organizations on June 5 after the self-replicating supply-chain campaign known as ...

The Homebrew team has released version 6.0 of this popular open-source package manager for macOS and Linux, with a new ...

A flaw in Claude Code's GitHub Action let attackers bypass permission checks via fake bots and steal OIDC tokens through prompt injection.

The codexui-android npm package silently exfiltrated OpenAI Codex auth tokens to an attacker server for a month, affecting 29,000 weekly downloads.

The change, expected in July, will likely block one of the more common attack vectors; developers are wondering what took ...

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...

Claude Code is Anthropic’s AI coding assistant — a command-line tool that developers are adopting fast. It connects to ...

Miasma hit 73 Microsoft repos across four GitHub orgs, forcing access disablement and exposing open-source trust risks.

GitHub confirmed attackers stole 3,800 internal repositories via a poisoned VS Code extension. The same threat group, TeamPCP, simultaneously compromised Microsoft's durabletask Python ...

A newly discovered malware campaign targeting the open source software ecosystem underscores how rapidly supply chain threats are evolving. The campaign, which JFrog has dubbed "IronWorm," targets ...