GitHub Internal Repos Breached via Malicious VS Code Extension
1054
GitHub suffered an internal repository breach after an employee installed a malicious VS Code extension, with hackers now attempting to sell the stolen code.
Supply Chain Security
Security risks in software supply chains, including the acquisition and weaponization of trusted software, dependency hijacking, and compromised distribution channels.
Reading List
3 pnpm Settings to Protect Yourself from Supply Chain Attacks
Secure your pnpm projects by quarantining new releases, blocking exotic subdependencies, and restricting build scripts.
Critical Supply-Chain Attack Hits TanStack Router NPM Packages
1095
A self-propagating supply-chain attack has poisoned TanStack Router npm packages to steal credentials and infect further repositories.
Intel and Apple Reach Preliminary U.S. Chip-Making Deal
229
Intel and Apple reach a preliminary chip-making deal facilitated by the U.S. government to strengthen domestic manufacturing and diversify Apple's supply chain.
Pause Software Installations Amid New Linux Vulnerabilities
854
Due to new Linux kernel vulnerabilities, users should avoid installing new software for a week to prevent supply chain attacks.
Critical RCE Vulnerability Discovered in GitHub's Internal Git Infrastructure
446
Wiz Research used AI-augmented tools to find a critical RCE vulnerability in GitHub's internal protocol that could compromise millions of repositories via a simple git push.
Bitwarden CLI Compromised in CI/CD Supply Chain Attack
865
Bitwarden CLI version 2026.4.0 was compromised in a supply chain attack that uses a malicious CI/CD injection to harvest cloud and developer credentials.
The Vercel Breach: OAuth Vulnerabilities and the Risk of Insecure Secret Defaults
368
A long-term breach at Vercel exploited a third-party OAuth trust and insecure default settings to expose customer secrets at a platform scale.
The Silent Cyber Crisis: 2026's Unprecedented and Ignored Wave of Attacks
338
The early months of 2026 have seen a catastrophic surge in AI-driven cyberattacks that the public is largely ignoring despite extreme private alarm within the highest levels of the U.S. government.
The Essential Plugin Attack: 30+ WordPress Plugins Weaponized via Supply Chain
1182
A malicious actor weaponized a portfolio of 30+ acquired WordPress plugins to conduct a massive, blockchain-coordinated supply chain attack.
Securing AI 'Vibecoding' with Remote Environments and Hacker Habits
172
Secure AI-driven development by using isolated remote servers and a human-reviewed 'fork-and-pull' workflow to mitigate supply-chain and prompt-injection risks.
Axios npm Supply Chain Attack: Hijacked Account Drops Cross-Platform RAT
1925
A hijacked maintainer account was used to poison the axios npm package with a sophisticated, self-cleaning Remote Access Trojan targeting multiple operating systems.
AI-Driven Forensics: Detecting the LiteLLM Supply Chain Attack in 72 Minutes
438
AI agents empower developers to rapidly detect, analyze, and disclose sophisticated supply chain attacks that previously required expert security intervention.
Critical Supply Chain Attack: Malicious Credential Stealer Found in litellm PyPI Package
931
The litellm PyPI package has been compromised by a supply chain attack that automatically steals and exfiltrates sensitive system credentials and secrets.
OpenClaw: The Dangerous Magic of Autonomous AI
394
OpenClaw provides transformative automation but creates a 'Faustian bargain' where users trade their total digital security for the convenience of an autonomous AI assistant.
Minnesota Tech Giant Caught in Tariff Storm
A massive rural Minnesota electronics distributor faces an existential threat from complex, high-cost U.S. tariffs that jeopardize its global competitiveness and local community.
Qatar Helium Crisis Threatens Global Chip Supply
700
A helium shutdown in Qatar threatens the global chip supply chain with a critical two-week deadline.
287 Chrome Extensions Leak Browsing Histories of 37M Users, Many Tied to Similarweb
474
A large-scale scan reveals 287 Chrome extensions leaking browsing history to a broker-driven ecosystem—many linked to Similarweb—affecting ~37 million users.
When Agent Skills Turn Into Malware: Markdown as the New Supply Chain
334
In agent ecosystems, markdown skills are the new supply-chain installer—already used to deliver infostealers—so don’t run them on work devices and build a real trust layer with provenance, mediation, and least privilege.
Supply‑Chain XSS in Mintlify Let Attackers Run JS on Discord, X, and More
1167
An exposed Mintlify static endpoint let malicious SVGs run on customer primary domains, creating a widespread supply-chain XSS affecting Discord, X, and many others.
A One-Line Backdoor: postmark-mcp MCP Server Quietly BCCs Your Emails
308
A trusted MCP email tool quietly added a BCC backdoor and has been siphoning thousands of emails, exposing a fundamental security gap in the MCP ecosystem.
After the npm Hack: We Need Real Package Management—But We Won’t Do It
We know how to fix JavaScript’s dependency mess, but the industry will choose symbolic gestures over real reforms.
Malicious Workflow Stole npm Token via Shared Repo; Lockdown Now, OIDC Next
168
A shared repo’s GitHub Actions secret was exfiltrated via a malicious workflow, enabling malicious npm publishes; the author has locked down publishing now and is moving toward OIDC to eliminate static tokens.
NPM’s Supply Chain Is Still Wide Open—and Microsoft Isn’t Fixing It
173
Microsoft’s control of npm hasn’t fixed its core weaknesses, leaving the JavaScript supply chain dangerously insecure and enterprises exposed.
Shai-Hulud: Self‑Spreading npm Backdoor Hits tinycolor and 40+ Packages
1233
A self-propagating npm attack backdoored @ctrl/tinycolor and 40+ packages to steal multi-cloud and GitHub secrets, persist via Actions workflows, and exfiltrate data—demanding immediate removal, credential rotation, and CI/CD hardening.