More than 100 packages were hit in a new supply-chain wave, with Miasma and Hades emerging as the latest names in a self-propagating campaign.
A new roundup on Software Composition Analysis points to a larger truth in modern security: when applications depend on open-source code, knowing what is inside the build is a defensive necessity, not a luxury.
AI-assisted development can speed delivery, but once code starts arriving through prompts and agents, security governance has to move upstream with it.
Microsoft is adding a two-hour delay before Visual Studio Code extensions update automatically, turning update timing into a security control against supply chain abuse.
The real risk is not hacking model weights, but contaminating the text pipeline that feeds them - a supply-chain problem that can turn ordinary web publishing into an attack surface.
Emphere’s latest raise spotlights a quiet but critical shift in software defense - from scanning for flaws to automating the work of closing them.
When straits, sanctions, chips, and submarine cables become pressure tools, the battlefield is no longer just military - it is logistical, digital, and regulatory.
A malicious project on Python’s main package index shows why trust in open-source software now starts with name verification, not just reputation.
A critical bug in Hugging Face Transformers shows how a single poisoned configuration file can convert routine model loading into a remote code execution event.
A reported flaw in Hugging Face Transformers shows how model metadata, kernel loading, and remote code controls can collide inside the ML supply chain.
EU ministers are set to review a proposed cyber package centered on ENISA, NIS2 simplification, and supply-chain security, with the real challenge lying in whether governance can become clearer without becoming weaker.
A reported Lazarus-linked brandjacking campaign against npm developers shows how package identity, install-time behavior, and secret-rich workstations can turn routine dependency work into a security event.
A pressure-heavy impersonation campaign targets extension publishers by borrowing the language of Google enforcement and the Chrome Web Store to push victims toward credential entry.
A research test against several skill-detection tools suggests that package vetting for agentic AI can be tricked by simple malicious uploads, not just sophisticated code.
CISA and G7 cyber agency partners have put AI system transparency on a supply-chain footing, but the hard part is still proving that paperwork matches production.
A package cleanup after a software pipeline compromise is a reminder that supply-chain risk often starts with identity, not malware.
A compromise in the package publication chain can turn trusted automation into a delivery system for secret theft and repeat infection.
A security investigation touching GitHub and a TanStack npm package highlights a simple but uncomfortable truth: when identity, distribution, and automation intersect, even an unclear incident can become a supply-chain warning.
A Rome conference talk turned POTÆbox into a reminder that some threats are framed not as software flaws, but as device-layer risks that may sit outside normal monitoring.
Project Lightwell is a bet that the hardest part of software security is not finding flaws, but fixing them in systems that cannot afford to stop.