A campaign tied to PolinRider has put malicious packages and browser extensions into npm, Packagist, Go, and Google Chrome, showing how one delivery pattern can travel across very different trust systems.
A maintainer-account takeover can do more damage than a single malicious file, especially when one publish pipeline reaches several software ecosystems at once.
A package-chain compromise can do more than slip in bad code - it can turn developer tooling itself into the execution path for a cross-platform Python infostealer.
The latest Miasma-linked supply-chain activity shows how a single poisoned release can pressure multiple trust layers at once, from package registries to build automation.
A poisoned-package wave tied to Mini Shai-Hulud, Miasma, and Hades is pushing supply-chain risk into the heart of developer workstations and CI/CD pipelines.
A supply-chain lure inside package install and build steps can turn routine development work into an execution window for credential theft, especially when teams trust native-addon metadata too quickly.
A deceptive package name can be enough to turn a routine JavaScript install into a staged Windows malware chain with browser-credential risk.
Three lookalike npm packages aimed at frontend developers underscore how package-name trust and installer-time execution can collide on a developer workstation.
A small cluster of PostCSS-themed npm packages shows how name confusion and install-time trust can turn routine dependency work into a Windows malware risk.
A typosquatted package in the npm ecosystem shows how a single confusing name can hand attackers a path from dependency install to Windows-native execution.
A malicious dependency found in more than 140 Mastra packages shows how a software supply-chain incident can move from build tools to browser-facing cryptocurrency surfaces.
A deceptive package name in the PostCSS orbit shows how open-source trust can be abused before any code ever reaches production.
A maintainer-account takeover tied to poisoned Mastra packages shows how package registries can become malware delivery systems when publisher trust is broken.
A hijacked contributor identity and a burst of package publishing turned the @mastra/* ecosystem into a supply-chain warning for anyone shipping JavaScript or TypeScript at scale.
A package-based credential theft campaign shows how quickly trusted registries can become entry points when attackers dress malware up as a build fix or SDK helper.
A malicious npm package found inside developer tooling shows how supply-chain abuse can begin before an app even launches, turning routine installs into high-risk execution events.
The dbmux case shows why a routine package install can become an execution event, not a passive download, with developer endpoints serving as a high-value entry point for broader supply-chain abuse.
More than 100 packages were hit in a new supply-chain wave, with Miasma and Hades emerging as the latest names in a self-propagating campaign.
A malicious npm package was used in a demonstrated attack path that rerouted Claude Code integrations and put OAuth bearer tokens in the crosshairs.
A malicious npm campaign shows how routine dependency installs can become a secret-harvesting path into developer systems, with crypto and Web3 workflows carrying outsized risk.