Valid certificates, stolen accounts: how attackers broke npm's last trust signal
On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.One day earlier, StepSecurity documented an attack on the Nx Console VS Code extension, a widely used developer tool with more than 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on M [...]
Rating
Innovation
Pricing
Technology
Usability
We have discovered similar tools to what you are looking for. Check out our suggestions for similar AI tools.
Hackers slipped a trojan into the code library behind most of the internet. Your team is probably affected
Attackers stole a long-lived npm access token belonging to the lead maintainer of axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a [...]
Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps
Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer workst [...]
Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering
Four supply-chain incidents hit OpenAI, Anthropic and Meta in 50 days: three adversary-driven attacks and one self-inflicted packaging failure. None targeted the model, and all four exposed the same g [...]
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK
GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and au [...]
Microsoft will start refreshing Secure Boot certificates in March for Windows 11 and Windows 10 ESU users
Get ye to Windows Update, because there's a good chance you've got new Secure Boot certificates to install. Microsoft just announced that it will be refreshing those certificates, which were [...]
How recruitment fraud turned cloud IAM into a $2 billion attack surface
A developer gets a LinkedIn message from a recruiter. The role looks legitimate. The coding assessment requires installing a package. That package exfiltrates all cloud credentials from the developerâ [...]
MCP stacks have a 92% exploit probability: How 10 plugins became enterprise security's biggest blind spot
The same connectivity that made Anthropic's Model Context Protocol (MCP) the fastest-adopted AI integration standard in 2025 has created enterprise cybersecurity's most dangerous blind spot. [...]
Browser-based attacks hit 95% of enterprises — and traditional security tools never saw them coming
Your web gateway can't see it. Your cloud access broker can't see it. Your endpoint protection can't see it. And yet 95% of organizations experienced browser-based attacks last year, ac [...]
Claude didn't just plan an attack on Mexico's government. It executed one for a month — across four domains your security stack can't see.
Attackers jailbroke Anthropic’s Claude and ran it against multiple Mexican government agencies for approximately a month. They stole 150 GB of data from Mexico’s federal tax authority, the nationa [...]