Supply Chain Attacks
11 articles RSS
Laravel-Lang Supply Chain Attack Poisons Over 700 Package Versions via Packagist Tag Hijack, Deploying Cross-Platform Credential Stealer
Attackers rewrote Git tags across four Laravel localization packages to point to malicious forks, poisoning hundreds of versions and deploying a credential stealer targeting cloud keys, SSH, and crypto wallets.
Checkmarx Jenkins AST Plugin Backdoored for 31 Hours as TeamPCP Returns Weeks After the KICS Compromise
A malicious build of Checkmarx's Jenkins AST plugin was live on the Jenkins Marketplace from May 9 at 01:25 UTC to May 10 at 08:47 UTC, the latest TeamPCP intrusion against Checkmarx weeks after the April KICS wave.
Bitwarden CLI Npm Package Backdoored for 90 Minutes as Shai-Hulud Worm Resurfaces Through Checkmarx Breach
A malicious build of @bitwarden/cli@2026.4.0 was live on npm for roughly 93 minutes on April 22 after attackers used credentials stolen from Checkmarx to push a self-propagating worm that harvests cloud, Git, and AI tooling credentials.
CPUID Website Hijacked to Distribute STX RAT Through Trojanized CPU-Z and HWMonitor Downloads
Attackers compromised CPUID's backend API and replaced download links for four popular hardware tools with malware-laden installers, infecting over 150 users across multiple countries.
Trivy Supply-Chain Compromise Spawns CanisterWorm, the First npm Worm to Use Blockchain for Command and Control
Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.
GlassWorm Supply-Chain Attack Hijacks 72 VS Code Extensions and 151 GitHub Repositories to Steal Developer Credentials
A coordinated supply-chain campaign abused Open VSX extension dependencies and invisible Unicode payloads to compromise developer environments across VS Code and GitHub.
Claude Code Vulnerabilities Let Attackers Run Arbitrary Commands and Steal API Keys by Cloning a Repository
Check Point Research disclosed two CVEs in Anthropic's Claude Code that turned project configuration files into attack vectors, enabling remote code execution and API key exfiltration before users could approve a trust dialog.
Prompt Injection in AI Issue Triage Bot Led to Cline CLI Supply Chain Attack, Affecting Thousands of Developers
A security researcher's disclosure of a prompt injection flaw in Cline's AI-powered GitHub issue bot was weaponized eight days later to steal npm publish tokens and install unauthorized software on developer machines.
npm, PyPI, and Crates.io Cannot Afford Basic Security as Malware Costs Devour Thin Budgets, Alpha-Omega Audit Reveals
An audit of the world's largest open source package registries finds they spend 12 percent of their budgets fighting malware and just 2 percent on new features, with no path to sustainable security funding.
PackageGate flaws let Git dependencies bypass npm’s post–Shai-Hulud install defenses
Researchers say Git-sourced dependencies can re-enable code execution paths even when npm is run with --ignore-scripts, undermining a widely recommended mitigation after 2025’s Shai-Hulud worm.
Chinese State Hackers Hijacked Notepad++ Updates for Six Months in Targeted Espionage Campaign
Lotus Blossom APT group compromised Notepad++ update infrastructure from June to December 2025, delivering Cobalt Strike and custom backdoors to select government and telecom targets