thenextweb
Attackers hijacked over 1,500 Arch Linux packages to steal developers’ secrets, no hacking required

One of the largest open-source package repositories just spent a weekend cleaning up after a malware campaign that did not break into anything. It did not need to. Attackers seized control of more than 1,500 packages in the Arch User Repository, or AUR, the community-run software collection that sits alongside Arch Linux’s official repositories, and […]<br /> This story continues at The Next Web [...]

Rating

Innovation

Pricing

Technology

Usability

We have discovered similar tools to what you are looking for. Check out our suggestions for similar AI tools.

venturebeat
Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps

Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer workst [...]

Match Score: 117.91

venturebeat
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK

GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and au [...]

Match Score: 78.57

venturebeat
Three AI coding agents leaked secrets through a single prompt injection. One vendor's system card predicted it

A security researcher, working with colleagues at Johns Hopkins University, opened a GitHub pull request, typed a malicious instruction into the PR title, and watched Anthropic’s Claude Code Securit [...]

Match Score: 75.84

venturebeat
How recruitment fraud turned cloud IAM into a $2 billion attack surface

A developer gets a LinkedIn message from a recruiter. The role looks legitimate. The coding assessment requires installing a package. That package exfiltrates all cloud credentials from the developerâ [...]

Match Score: 75.40

venturebeat
Valid certificates, stolen accounts: how attackers broke npm's last trust signal

On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised [...]

Match Score: 68.07

venturebeat
Claude didn't just plan an attack on Mexico's government. It executed one for a month — across four domains your security stack can't see.

Attackers jailbroke Anthropic’s Claude and ran it against multiple Mexican government agencies for approximately a month. They stole 150 GB of data from Mexico’s federal tax authority, the nationa [...]

Match Score: 66.82

venturebeat
Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering

Four supply-chain incidents hit OpenAI, Anthropic and Meta in 50 days: three adversary-driven attacks and one self-inflicted packaging failure. None targeted the model, and all four exposed the same g [...]

Match Score: 59.75

Destination
USPS backtracks on suspending packages from China

Update, February 5, 2025, 10:02AM ET: The USPS swiftly backtracked on its suspension of Chinese packages. <br /> In an updated statement published Wednesday morning, the agency said, "Effe [...]

Match Score: 57.09

venturebeat
Hackers slipped a trojan into the code library behind most of the internet. Your team is probably affected

Attackers stole a long-lived npm access token belonging to the lead maintainer of axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a [...]

Match Score: 54.63