LiquidJS, a templating library with 7 million monthly downloads, lets attackers run any code on your server through a crafted template string. No login required. Public exploit available.
A single compromised account pushed malicious code to 42 repos across Microsoft and Azure GitHub orgs in under an hour. If you trust code because of who published it, that trust is now a liability.
A self-propagating worm is using a blind spot in npm's native build system to execute code the moment you install a package. No install scripts. No warnings. Just binding.gyp.
The token-checking campaign we warned about two weeks ago has entered phase two. Attackers are mass-cloning private repositories using stolen PATs. Your source code is walking out the door.
7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
29 packages under the @redhat-cloud-services namespace were compromised with a self-propagating credential stealer. 80,000 weekly downloads. If Red Hat's packages aren't safe, neither are yours.
Attackers exploited FortiClient EMS to push a credential stealer disguised as a Fortinet firmware update. Your endpoint management system delivered the malware for them. You can't make this up.
The biggest supply chain attack in npm history just happened. 160+ packages compromised. If you had auto-updates on, you swallowed the poison automatically. Here's what to do instead.
Mass automated validation of stolen GitHub PATs from bulletproof hosting. They're testing which tokens are live, what scopes they have, and triaging the valuable ones. Revoke your old tokens today.
A threat actor called JINX-0164 is posing as recruiters to trick developers into running malware that steals credentials, crypto wallets, and SSH keys. If your company employs developers, this is your problem.
A poisoned VS Code extension breached GitHub's internal repos. 3,800 repositories. 18 minutes. If you install extensions without thinking, you need to read this.
Microsoft's official Durable Task Python SDK was hijacked on PyPI with a credential stealer, a Linux file wiper, and worm logic that spreads using your own cloud keys. No CVE was assigned. Most scanners missed it.
An attacker registered a co-maintainer's expired email domain, reset the npm password, and published a credential stealer that exfiltrates over DNS. No hack required. Just a $12 domain registration.
The Checkmarx Jenkins plugin, installed to find vulnerabilities in your code, was itself compromised with an infostealer. CVE-2026-33634. CVSS 9.4. Every secret in your CI/CD pipeline was exfiltrated.
30-40% of WordPress sites are running plugins with known vulnerabilities. A supply chain attack just backdoored 400,000 sites through trusted plugin updates. If you run WordPress, read this.
An attacker posted a comment on a pull request. Twelve hours later, every data engineer running elementary-data 0.23.3 was exfiltrating their warehouse credentials to a stranger. Your CI/CD pipeline is a factory floor with no locks on the doors.
An infostealer at a third-party AI company led to Vercel customer secrets being exposed. The attack chain: AI tool employee gets malware, attacker pivots to Vercel, customer API keys and DB credentials decrypted. Two months undetected.
The breach started with stolen OAuth tokens from a chatbot integration. ShinyHunters pivoted through Salesforce, found GCP credentials, and exfiltrated nearly 1 petabyte including FBI background checks and customer call recordings.
The average small business uses 47 SaaS apps. Each one stores data, holds credentials, and connects to other services. Most have no security oversight. Here's why that's a problem you need to solve.