Un presunto ladro di credenziali distribuito tramite pacchetto mette sotto i riflettori le pipeline di build, dove una singola release malevola può contare più dell’applicazione che alimenta.
A compromise affecting 84 npm packages shows how install-time code and CI credentials can collide inside the same trusted workflow.
A fresh supply-chain campaign linked to TeamPCP has been tied to npm and PyPI packages across several well-known projects, underscoring how easily trust in dependencies can be weaponized.