Supply Chain Security
3 articles RSS
TrapDoor Campaign Deploys 34 Malicious Packages Across npm, PyPI, and Crates.io, Weaponizing AI Coding Assistants to Steal Crypto Wallets
Socket researchers discovered TrapDoor, a supply chain attack spanning 34 packages and 384+ versions across three registries, with a novel technique that embeds hidden instructions in AI coding assistant config files to trigger credential exfiltration.
5 min read4 sources
npm Ships Staged Publishing and Install-Source Allowlists in CLI 11.15.0, Requiring Human 2FA Approval Before Packages Go Live
GitHub's npm registry makes staged publishing generally available: packages must pass a human-approved, 2FA-gated queue before consumers can install them.
5 min read5 sources
Mini Shai-Hulud Worm Hits TanStack, Mistral AI and UiPath, Compromising 170+ npm and PyPI Packages With 518M Combined Downloads
TeamPCP's May 11 supply-chain attack abused a pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft to ship 84 malicious TanStack versions and spread to Mistral AI, UiPath and others.
7 min read7 sources