packages
-
The Provenance Gap: Analyzing Scope Squatting Vulnerabilities in ClawHub’s Plugin Registry
A critical supply-chain weakness has been identified within the ClawHub plugin registry, specifically concerning a failure in namespace enforcement. This…
Read More » -
Sapphire Sleet Compromises Node.js: Account Takeover, Typosquatting, and Multi-Stage Payloads in @mastra
A sophisticated supply chain attack has been identified targeting the Node.js ecosystem, attributed to the North Korean state-sponsored actor Sapphire…
Read More » -
Supply Chain Alert: 140 Mastra npm Packages Compromised via Typosquatted Dependency
A sophisticated software supply chain attack has recently targeted the JavaScript ecosystem, compromising over 140 npm packages within the popular…
Read More » -
Velvet Ant: Surgical Subversion of Critical Infrastructure Authentication Stacks (PAM and OpenSSH)
In a sophisticated display of cyber-persistence, the China-nexus threat actor known as Velvet Ant has been unmasked for executing a…
Read More » -
CVE-2026-20253: Analyzing the Critical Pre-Auth RCE Chain in Splunk Enterprise
A high-severity security flaw has been identified in Splunk Enterprise, presenting a critical risk to data integrity and system availability.…
Read More » -
Supply Chain Warfare: Advanced Typosquatting Targets Web3 Development Ecosystems
Threat actors are increasingly weaponizing the inherent trust placed in open-source dependencies to target Web3 engineering teams. By deploying sophisticated…
Read More » -
The End of Implicit Trust: How npm v12 Introduces Zero Trust for the JavaScript Ecosystem
GitHub has announced a significant architectural shift for the Node Package Manager with the upcoming release of npm v12. This…
Read More » -
Mass Repository Takedown: Analyzing the GitHub Enforcement Wave Against Microsoft Organizations
In a highly compressed window of just 105 seconds, GitHub executed a sweeping enforcement action, disabling 73 repositories distributed across…
Read More » -
The Evolution of PyPI Supply Chain Attacks: Analyzing the Newest Waves of Shai-Hulud, Miasma, and Hades
For security researchers and DevOps engineers, the landscape of software supply chain attacks is often a game of cat and…
Read More » -
The “Miasma” Worm and the Rise of “Phantom Gyp” Supply Chain Attacks
On June 3, 2026, the developer ecosystem faced a highly coordinated and rapid-fire supply chain assault. In a window of…
Read More » -
From AUDIOFIX to MINIRAT: JINX-0164’s macOS and Supply Chain Compromise Lifecycle
A sophisticated new threat actor, tracked as JINX-0164, has emerged with a highly specialized focus on the cryptocurrency sector. Unlike…
Read More » -
Supply Chain Alert: Malicious NuGet Package Weaponizes Sentry for Banking Credential Exfiltration
A sophisticated software supply chain attack has been identified targeting the .NET ecosystem. A fraudulent NuGet package, masquerading as an…
Read More » -
The New Frontline: Weaponizing Developer Tooling and CI/CD Pipelines
Modern software development relies on a complex ecosystem of automation and trusted integrations. However, this very interconnectedness has become a…
Read More » -
Deconstructing “Zapocalypse”: A Sophisticated Multi-Stage Attack Chain
The security research community was recently alerted to a critical vulnerability chain dubbed “Zapocalypse.” This discovery demonstrates how a seemingly…
Read More » -
Critical Security Update: GitHub Enterprise Server 3.20.3 Addresses High-Severity SSRF and Privilege Escalation Risks
GitHub has released a critical security update for GitHub Enterprise Server (GHES) version 3.20.3. This patch is not a routine…
Read More »