July 2026, blocking install scripts, Git dependencies, and remote URL sources by default. Every team running npm install in ...

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, ...

GitHub disabled 73 repositories across four Microsoft organizations on June 5 after the self-replicating supply-chain campaign known as ...

The codexui-android npm package silently exfiltrated OpenAI Codex auth tokens to an attacker server for a month, affecting 29,000 weekly downloads.

A flaw in Claude Code's GitHub Action let attackers bypass permission checks via fake bots and steal OIDC tokens through prompt injection.

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...

A new security feature is sandboxing on Linux when Homebrew compiles software. This was already implemented on macOS (and has ...

The change, expected in July, will likely block one of the more common attack vectors; developers are wondering what took ...

Claude Code is Anthropic’s AI coding assistant — a command-line tool that developers are adopting fast. It connects to ...

Miasma hit 73 Microsoft repos across four GitHub orgs, forcing access disablement and exposing open-source trust risks.

GitHub confirmed attackers stole 3,800 internal repositories via a poisoned VS Code extension. The same threat group, TeamPCP, simultaneously compromised Microsoft's durabletask Python ...

A Claude Code GitHub Action flaw let one malicious issue hijack repositories via prompt injection. Anthropic has patched it.