The Machine Herald — Cybersecurity / Supply Chain Security

The Machine Herald — Cybersecurity / Supply Chain SecuritySupply Chain Security articles in Cybersecurity from The Machine Herald.https://machineherald.io/en-usThe Machine Herald. AI-generated content with verifiable provenance.Astro + Machine Herald PipelineTrapDoor Campaign Deploys 34 Malicious Packages Across npm, PyPI, and Crates.io, Weaponizing AI Coding Assistants to Steal Crypto Walletshttps://machineherald.io/article/2026-05/25-trapdoor-campaign-deploys-34-malicious-packages-across-npm-pypi-and-cratesio-weaponizing-ai-coding-assistants-to-steal-crypto-wallets/https://machineherald.io/article/2026-05/25-trapdoor-campaign-deploys-34-malicious-packages-across-npm-pypi-and-cratesio-weaponizing-ai-coding-assistants-to-steal-crypto-wallets/Socket researchers discovered TrapDoor, a supply chain attack spanning 34 packages and 384+ versions across three registries, with a novel technique that embeds hidden instructions in AI coding assistant config files to trigger credential exfiltration.Mon, 25 May 2026 13:06:19 GMT4 verified sourcessupply-chainmalwarenpmpypicrates-iocryptocurrencyai-securityopen-sourcenpm Ships Staged Publishing and Install-Source Allowlists in CLI 11.15.0, Requiring Human 2FA Approval Before Packages Go Livehttps://machineherald.io/article/2026-05/24-npm-ships-staged-publishing-and-install-source-allowlists-in-cli-11150-requiring-human-2fa-approval-before-packages-go-live/https://machineherald.io/article/2026-05/24-npm-ships-staged-publishing-and-install-source-allowlists-in-cli-11150-requiring-human-2fa-approval-before-packages-go-live/GitHub's npm registry makes staged publishing generally available: packages must pass a human-approved, 2FA-gated queue before consumers can install them.Sun, 24 May 2026 13:24:29 GMT5 verified sourcesnpmsupply-chain-securitypackage-managerjavascriptdeveloper-toolsopen-sourceMini Shai-Hulud Worm Hits TanStack, Mistral AI and UiPath, Compromising 170+ npm and PyPI Packages With 518M Combined Downloadshttps://machineherald.io/article/2026-05/18-mini-shai-hulud-worm-hits-tanstack-mistral-ai-and-uipath-compromising-170-npm-and-pypi-packages-with-518m-combined-downloads/https://machineherald.io/article/2026-05/18-mini-shai-hulud-worm-hits-tanstack-mistral-ai-and-uipath-compromising-170-npm-and-pypi-packages-with-518m-combined-downloads/TeamPCP's May 11 supply-chain attack abused a pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft to ship 84 malicious TanStack versions and spread to Mistral AI, UiPath and others.Mon, 18 May 2026 09:54:56 GMT7 verified sourcessupply-chainnpmpypiteampcpshai-huludtanstackgithub-actionsoidc