Browsing Tag
Supply Chain
38 posts
Upwind Finds Coordinated Supply Chain Campaign Compromising Multiple AsyncAPI npm Packages
Upwind links compromised AsyncAPI npm packages to a coordinated supply chain attack spanning repositories, publishing pipelines, and developer systems at risk.
July 14, 2026
Siggen Backdoor Hits Windows Developers Via Infected Visual Studio Projects
Dr.Web details Siggen Windows backdoor that uses Steam for C2, steals credentials and crypto data and infects Visual Studio projects to spread among developers.
July 13, 2026
‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking
Novee Security reveals Cordyceps, a CI/CD vulnerability in GitHub Actions workflows that let anonymous users poison builds and expose tokens across major projects today.
June 23, 2026
Salesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data
Icarus extortion group used a legacy Klue Battlecards credential to bypass security and steal bulk Salesforce records from affected companies.
June 22, 2026
5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours
SafeDep uncovered the Megalodon attack targeting 5,561 GitHub repositories with malicious CI workflows and cloud credential theft.
May 22, 2026
TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack (Updated)
TeamPCP claims to be selling alleged Mistral AI repositories on a hacker forum after the Mini Shai-Hulud attack targeted npm and PyPI ecosystems.
May 14, 2026
TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages
Research reveals that TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm.
May 13, 2026
Hackers Poison Axios npm Package with 100 Million Weekly Downloads
Axios npm Package compromised in a supply chain attack, exposing developers to malware, data theft, and full system takeover risks worldwide.
March 31, 2026
TeamPCP Uses Fake Ringtone File in Tainted Telnyx SDK to Steal Credentials
Telnyx issues an urgent alert after hackers TeamPCP uploaded malicious versions (4.87.1 & 4.87.2) of its Python SDK to steal cloud and crypto credentials.
March 30, 2026
TeamPCP Hits Trivy, Checkmarx, and LiteLLM in Credential Theft Campaign
Hackers compromised Trivy, Checkmarx, and LiteLLM in a supply chain attack, stealing cloud credentials, tokens, and crypto wallet data from developers.
March 25, 2026