GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

A leading American stock exchange for private companies is suing its Canadian rival for alleged patent infringement, ...

TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and ...

The Mini Shai-Hulud worm has resurfaced in one of its largest single-registry waves to date, hitting hundreds of npm packages ...

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension.

Mini Shai-Hulud npm campaign compromises @antv packages, targeting blockchain developers' GitHub tokens, AWS keys, and CI/CD secrets in a coordinated supply chain attack.

Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

On May 11, 2026, a self-replicating worm called Mini Shai-Hulud quietly slipped into 42 widely used TanStack open-source ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...