Attackers abused GitHub Actions workflows to siphon off thousands of credentials from hundreds of npm and PyPI repositories.

CrowdStrike, a cybersecurity company, is grappling with a self-replicating worm named Shai-Hulud that has compromised numerous code packages.

In a similar style to the Nx attack, the payload then publishes a new repo via the victim's GitHub account, dropping stolen ...

Hulud" has compromised hundreds of packages in the npm repository with a self-replicating worm that steals secrets like API key, tokens, and cloud credentials and sends them to external servers that ...

Investigations into the Nx "s1ngularity" NPM supply chain attack have unveiled a massive fallout, with thousands of account ...

On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 ...

Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with content, and download exclusive resources. Senyo Simpson discusses how Rust's core ...

The malicious JavaScript code ("bundle.js") injected into each of the trojanized package is designed to download and run ...

A supply chain attack involving malicious GitHub Action workflows has impacted hundreds of repositories and thousands of secrets.

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to ...