Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and ...

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

Claude Code Dynamic Workflows, launched May 28, 2026, replaces context-window orchestration with a JavaScript script Claude writes on the fly for each task. Runs cap at 1,000 parallel subagents with ...

Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

MYRTLE BEACH, SC (WMBF) - The Better Business Bureau is warning consumers about a “brushing” scam involving unsolicited packages that arrive at their homes. The scam works by companies finding names ...

The controversy over vibe coding reached a new high this week after a developer added hidden instructions to his open source ...

Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens ...