Mastodawn

#OpenSource used to mean trusting skilled developers to build and maintain good #software so others did not need to learn every language, tool, or best practice themselves.

Now, #SupplyChainAttack and #AISlop have made many projects harder to trust.

Too much software is rushed, poorly understood, or built for hype instead of quality.

#Developers now spend more time checking code, #dependencies, and #maintainers instead of simply building software.

#AI was supposed to reduce cognitive load😒

sayzard 1d ago

Popular node-IPC NPM package compromised to steal credentials

Node.js의 인기 IPC 패키지 node-ipc가 최근 공급망 공격으로 악성 코드에 감염되어 AWS, Azure, GCP 등 클라우드 자격 증명과 SSH 키, CI/CD 비밀 정보 등을 탈취하는 정보 탈취 악성코드가 포함된 버전이 배포됐다. 공격자는 비활성 유지관리자의 계정을 탈취해 악성 코드를 삽입했으며, DNS TXT 쿼리를 이용해 데이터를 은밀히 외부로 전송한다. 감염된 버전을 사용하는 개발자는 즉시 해당 버전을 제거하고 노출된 비밀 정보를 교체해야 한다.

https://www.bleepingcomputer.com/news/security/popular-node-ipc-npm-package-compromised-to-steal-credentials/

#security #supplychainattack #npm #nodejs #malware

Popular node-ipc npm package compromised to steal credentials

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.

BleepingComputer

N-gated Hacker News 1d ago

🚨 Breaking news! 🚨 A supply chain attack on #npm shocks #developers worldwide, and in an utterly predictable twist, the only package manager where this "regularly happens" shrugs and says, "Oops, our bad." 😅 Devs are now collectively wringing their hands, wondering how they got #bamboozled by the same trick for the zillionth time. 🤦‍♂️
https://kevinpatel.xyz/posts/no-way-to-prevent-this/ #supplychainattack #security #shocked #oops #HackerNews #ngated

‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens | Kevin Patel

Kevin Patel - Application Security Engineer @ NISC

Kevin Patel

ml4den 2d ago

AI took centre stage in cybersecurity this week on both sides of the battlefield. Critical zero-days to open-sourced malware, there’s plenty keeping security teams on high alert.

#AIinCybersecurity #ZeroDayExploit #SupplyChainAttack #DataBreach

https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-20-191

Cybersecurity News Review - Week 20 (2026)

AI took centre stage in cybersecurity this week - on both sides of the battlefield.

Cybersecurity News Weekly

Analyst207 3d ago

OpenAI Breach Exposes Code-Signing Certificates in TanStack Supply Chain Attack

OpenAI revealed that two employee devices were compromised in a recent TanStack supply-chain attack, but fortunately, customer data, production systems, and intellectual property remained safe. The breach was limited to a small set of internal source code repositories and credentials.

https://osintsights.com/openai-breach-exposes-code-signing-certificates-in-tanstack-supply-chain-attack?utm_source=mastodon&utm_medium=social

#TanstackSupplyChain #Openai #CodesigningCertificates #SupplyChainAttack #EmergingThreats

OpenAI Breach Exposes Code-Signing Certificates in TanStack Supply Chain Attack

OpenAI breach exposes code-signing certificates in TanStack supply chain attack, learn how two employee devices were compromised and what it means for cybersecurity, read more now.

OSINTSights

tech news ᳇ eicker.news 4d ago

#Socket detected a #supplychainattack on 84 #TanStack #npm packages, including popular ones like tanstack/react-router, which were compromised with suspected credential-stealing malware. The attack involved a chained #GitHub Actions attack and resulted in the publication of malicious packages authenticated through the project’s #OIDC trusted-publisher binding. https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack?eicker.news #tech #media #news

TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack

Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.

Socket

Manuel Bissey 4d ago

An official Checkmarx Jenkins package was compromised with an infostealer. Trusted CI/CD pipelines are becoming prime supply-chain targets. Build security must start at the source. 🛠️⚠️ #SupplyChainAttack #DevSecOps

https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/

Official CheckMarx Jenkins package compromised with infostealer

Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace.

BleepingComputer

AmmarSpaces 4d ago

TeamPCP has open sourced their Shai-Hulud project.

It can be downloaded here.

https://vx-underground.org/tmp

#cybersecurity #infosec #teampcp #shaihuludmalware #supplychainattack

sayzard 4d ago

RubyGems Under Attack

RubyGems가 현재 대규모 악성 공격을 받고 있어 신규 회원 가입이 일시 중단된 상태입니다. 수백 개의 패키지가 공격에 연루되었으며, 일부는 악성 코드를 포함하고 있습니다. RubyGems 팀은 공격 차단과 데이터 분석을 위해 긴급 대응 중이며, DDoS 및 악성 업로드를 차단하는 데 성공했습니다. 커뮤니티는 상황을 예의주시하며 추가 정보를 기다리고 있습니다.

https://twitter.com/maciejmensfeld/status/2054164602577940619

#rubygems #supplychainattack #security #malware #opensource

Maciej Mensfeld (@maciejmensfeld) on X

We're dealing with a major malicious attack on @rubygems right now. Signups are paused for the time being. Hundreds of packages involved - mostly targeting us, but some carrying exploits. The team has been on this for hours. More details to follow once we're through it. #ruby

X (formerly Twitter)

Show thread

github.com/ghostwriter 5d ago

🚨 UPDATE: Mini Shai-Hulud has crossed from #NPM into #ComposerPHP/#Packagist and now #PyPI… and is still spreading.

[email protected]
[email protected]

https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

#TeamPCP #SupplyChainAttack