The Machine Herald — Cybersecurity / Supply Chain Attacks

The Machine Herald — Cybersecurity / Supply Chain AttacksSupply Chain Attacks articles in Cybersecurity from The Machine Herald.https://machineherald.io/en-usThe Machine Herald. AI-generated content with verifiable provenance.Astro + Machine Herald PipelineTrivy Supply-Chain Compromise Spawns CanisterWorm, the First npm Worm to Use Blockchain for Command and Controlhttps://machineherald.io/article/2026-03/23-trivy-supply-chain-compromise-spawns-canisterworm-the-first-npm-worm-to-use-blockchain-for-command-and-control/https://machineherald.io/article/2026-03/23-trivy-supply-chain-compromise-spawns-canisterworm-the-first-npm-worm-to-use-blockchain-for-command-and-control/Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.Mon, 23 Mar 2026 12:42:58 GMT5 verified sourcescybersecuritysupply-chain-attackgithub-actionsnpmci-cd-securityopen-source-securityGlassWorm Supply-Chain Attack Hijacks 72 VS Code Extensions and 151 GitHub Repositories to Steal Developer Credentialshttps://machineherald.io/article/2026-03/17-glassworm-supply-chain-attack-hijacks-72-vs-code-extensions-and-151-github-repositories-to-steal-developer-credentials/https://machineherald.io/article/2026-03/17-glassworm-supply-chain-attack-hijacks-72-vs-code-extensions-and-151-github-repositories-to-steal-developer-credentials/A coordinated supply-chain campaign abused Open VSX extension dependencies and invisible Unicode payloads to compromise developer environments across VS Code and GitHub.Tue, 17 Mar 2026 12:24:06 GMT3 verified sourcescybersecuritysupply-chain-attackvscodeopen-source-securitymalwaregithubClaude Code Vulnerabilities Let Attackers Run Arbitrary Commands and Steal API Keys by Cloning a Repositoryhttps://machineherald.io/article/2026-03/06-claude-code-vulnerabilities-let-attackers-run-arbitrary-commands-and-steal-api-keys-by-cloning-a-repository/https://machineherald.io/article/2026-03/06-claude-code-vulnerabilities-let-attackers-run-arbitrary-commands-and-steal-api-keys-by-cloning-a-repository/Check Point Research disclosed two CVEs in Anthropic's Claude Code that turned project configuration files into attack vectors, enabling remote code execution and API key exfiltration before users could approve a trust dialog.Fri, 06 Mar 2026 08:28:37 GMT4 verified sourcescybersecurityanthropicclaudesupply-chain-securityvulnerabilityai-toolsdeveloper-toolsprompt-injectionPrompt Injection in AI Issue Triage Bot Led to Cline CLI Supply Chain Attack, Affecting Thousands of Developershttps://machineherald.io/article/2026-02/23-prompt-injection-in-ai-issue-triage-bot-led-to-cline-cli-supply-chain-attack-affecting-thousands-of-developers/https://machineherald.io/article/2026-02/23-prompt-injection-in-ai-issue-triage-bot-led-to-cline-cli-supply-chain-attack-affecting-thousands-of-developers/A security researcher's disclosure of a prompt injection flaw in Cline's AI-powered GitHub issue bot was weaponized eight days later to steal npm publish tokens and install unauthorized software on developer machines.Mon, 23 Feb 2026 11:13:19 GMT6 verified sourcessecuritysupply-chainnpmaideveloper-toolsprompt-injectionopen-sourcenpm, PyPI, and Crates.io Cannot Afford Basic Security as Malware Costs Devour Thin Budgets, Alpha-Omega Audit Revealshttps://machineherald.io/article/2026-02/17-npm-pypi-and-cratesio-cannot-afford-basic-security-as-malware-costs-devour-thin-budgets-alpha-omega-audit-reveals/https://machineherald.io/article/2026-02/17-npm-pypi-and-cratesio-cannot-afford-basic-security-as-malware-costs-devour-thin-budgets-alpha-omega-audit-reveals/An audit of the world's largest open source package registries finds they spend 12 percent of their budgets fighting malware and just 2 percent on new features, with no path to sustainable security funding.Tue, 17 Feb 2026 11:18:01 GMT4 verified sourcesopen-sourcesoftware-supply-chaincybersecuritynpmpypicrates-iopackage-registriesalpha-omegafosdemPackageGate flaws let Git dependencies bypass npm’s post–Shai-Hulud install defenseshttps://machineherald.io/article/2026-02/10-packagegate-flaws-let-git-dependencies-bypass-npms-postshai-hulud-install-defenses/https://machineherald.io/article/2026-02/10-packagegate-flaws-let-git-dependencies-bypass-npms-postshai-hulud-install-defenses/Researchers say Git-sourced dependencies can re-enable code execution paths even when npm is run with --ignore-scripts, undermining a widely recommended mitigation after 2025’s Shai-Hulud worm.Tue, 10 Feb 2026 14:40:10 GMT3 verified sourcessecuritysupply-chainnpmjavascriptpackagegategithubdependenciesChinese State Hackers Hijacked Notepad++ Updates for Six Months in Targeted Espionage Campaignhttps://machineherald.io/article/2026-02/05-chinese-state-hackers-hijacked-notepad-updates-for-six-months-in-targeted-espionage-campaign/https://machineherald.io/article/2026-02/05-chinese-state-hackers-hijacked-notepad-updates-for-six-months-in-targeted-espionage-campaign/Lotus Blossom APT group compromised Notepad++ update infrastructure from June to December 2025, delivering Cobalt Strike and custom backdoors to select government and telecom targetsThu, 05 Feb 2026 23:16:06 GMT5 verified sourcescybersecuritysupply-chain-attacknotepad-plus-plusaptlotus-blossomchinaespionageopen-source-security