OpenClaw: The Dangerous Magic of Autonomous AI
278
OpenClaw provides transformative automation but creates a 'Faustian bargain' where users trade their total digital security for the convenience of an autonomous AI assistant.
Minnesota Tech Giant Caught in Tariff Storm
A massive rural Minnesota electronics distributor faces an existential threat from complex, high-cost U.S. tariffs that jeopardize its global competitiveness and local community.
Qatar Helium Crisis Threatens Global Chip Supply
700
A helium shutdown in Qatar threatens the global chip supply chain with a critical two-week deadline.
287 Chrome Extensions Leak Browsing Histories of 37M Users, Many Tied to Similarweb
474
A large-scale scan reveals 287 Chrome extensions leaking browsing history to a broker-driven ecosystem—many linked to Similarweb—affecting ~37 million users.
When Agent Skills Turn Into Malware: Markdown as the New Supply Chain
334
In agent ecosystems, markdown skills are the new supply-chain installer—already used to deliver infostealers—so don’t run them on work devices and build a real trust layer with provenance, mediation, and least privilege.
Supply‑Chain XSS in Mintlify Let Attackers Run JS on Discord, X, and More
1167
An exposed Mintlify static endpoint let malicious SVGs run on customer primary domains, creating a widespread supply-chain XSS affecting Discord, X, and many others.
A One-Line Backdoor: postmark-mcp MCP Server Quietly BCCs Your Emails
308
A trusted MCP email tool quietly added a BCC backdoor and has been siphoning thousands of emails, exposing a fundamental security gap in the MCP ecosystem.
After the npm Hack: We Need Real Package Management—But We Won’t Do It
We know how to fix JavaScript’s dependency mess, but the industry will choose symbolic gestures over real reforms.
Malicious Workflow Stole npm Token via Shared Repo; Lockdown Now, OIDC Next
168
A shared repo’s GitHub Actions secret was exfiltrated via a malicious workflow, enabling malicious npm publishes; the author has locked down publishing now and is moving toward OIDC to eliminate static tokens.
NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It
173
Microsoft’s control of npm hasn’t fixed its core weaknesses, leaving the JavaScript supply chain dangerously insecure and enterprises exposed.
Shai-Hulud: Self‑Spreading npm Backdoor Hits tinycolor and 40+ Packages
1233
A self-propagating npm attack backdoored @ctrl/tinycolor and 40+ packages to steal multi-cloud and GitHub secrets, persist via Actions workflows, and exfiltrate data—demanding immediate removal, credential rotation, and CI/CD hardening.