The Hacker News

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

Malicious Lightning 2.6.2/2.6.3 released April 30 enable credential theft via hidden payload, leading to PyPI quarantine and ...

The never-ending supply chain attacks worm into SAP npm packages, other dev tools

Attackers infected all versions with the same credential-stealing malware that, on Wednesday, poisoned multiple npm packages ...
Dark Reading

TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack

Several npm packages for SAP's cloud application development ecosystem have been compromised as TeamPCP's supply chain ...
Infosecurity Magazine

Npm Supply Chain Malware Attack Targets Developers With Worm-Like Propagation

Malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across ...
The Hacker News

New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs

Claude Opus commit added malicious npm dependency in Feb 2026, enabling crypto theft and persistent RAT access.

Open source package with 1 million monthly downloads stole user credentials

Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a ...
InfoWorld

Critical GitHub RCE bug exposed millions of repositories

The now‑patched flaw allowed authenticated users to execute arbitrary code via crafted git push requests, affecting ...
Blue Headlineq

GitHub’s Supply Chain Warning Is Really About Secret Theft, Not Just Bad Packages

GitHub says modern supply-chain attacks increasingly start with secret exfiltration from GitHub Actions, not just poisoned packages further downstream.