GlassWorm campaign used 72 malicious Open VSX extensions and infected 151 GitHub repositories, enabling stealth supply-chain attacks on developers.

Researchers at Endor Labs uncovered 88 new packages tied to new waves of the campaign, which uses remote dynamic dependencies to deliver credential-stealing malware.

Summary of Google’s H1 2026 Cloud Threat Horizons findings arguing identity failures, weaponized local AI tooling, and collapsing exploitation windows require AI-native security architectures and ...

The Debian/Ubuntu package manager isn't just for installing and removing software. You'll find there are some other tricks up Apt's sleeve that you should know about.

The Contagious Interview campaign weaponizes job recruitment to target developers. Threat actors pose as recruiters from crypto and AI companies and deliver backdoors such as OtterCookie and ...

New attack waves from the 'PhantomRaven' supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers.

Webpack's 2026 roadmap, led by Even Stensberg, unveils substantial enhancements aimed at modernizing the bundler. Key ...

An experimental Rust compiler is intended to replace the previous Go compiler, and the Astro dev server now supports custom runtimes.

Hackers exploited a compromised npm package to breach cloud systems and gain full AWS administrator access within 72 hours.

A malicious npm package disguised as a legitimate AI tool to install the virally popular OpenClaw, but designed to steal system passwords and crypto wallets, ...

A newly discovered InstallFix campaign relies on malicious commands on cloned installation webpages to trick victims into installing malware.