TrapDoor spread 34 malicious packages across npm, PyPI, and Crates.io, stealing developer credentials and enabling persistence.

NPM and PRX have teamed up to develop a powerful and streamlined collaborative solution. Stations using or considering PRX's Dovetail podcast publishing and monetization platform — available to ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...

Malicious npm package downloaded 676 times stole Claude AI files via GitHub uploads, increasing AI-driven malware risks.

The OWASP-backed tool scans JavaScript and TypeScript lockfiles locally, aiming to help developers catch and remediate dependency risks before CI failures.

Perplexity launches Bumblebee: How its new read-only dev scanner differs from Chainguard ...

NPR, NPR's sponsorship subsidiary NPM, and PRX today announced a public media collaboration creating a new, more flexible path for stations to monetize their podcasts.

Malicious packages across npm, PyPI, and Crates.io show how poisoned developer workflows can become a route into enterprise systems.

The security platform Socket has recently discovered an enormous worldwide malware operation that has been dubbed "TrapDoor".

The four C&C channels used by GlassWorm, the botnet targeting open source software developers, have been disrupted.

Ubiquiti released a new security bulletin detailing fixes for six security issues, including one rated 9.1 (critical) and one scoring a perfect 10.0 on the CVE risk scale. The vulnerabilities ...