Skip to main content

Tag: dependencyhijacking

8 articles

Malicious NuGet Package Exclusive: Critical Stripe Risk

Malicious NuGet Package Exclusive: Critical Stripe Risk

A Malicious NuGet Package targeting Stripe has been uncovered—if your projects use Stripe, find out how this critical risk could expose payments and what immediate steps you should take to secure your builds.

Analyst 207
Shai-Hulud v2 Exclusive: Dangerous Spread Exposes Secrets

Shai-Hulud v2 Exclusive: Dangerous Spread Exposes Secrets

Shai‑Hulud’s second wave has jumped from npm into Maven, turning trusted packages into a secret‑stealing worm that probes CI and environment tokens and self‑replicates through dependencies. If you build or secure software, now’s the moment to rotate credentials, harden pipelines, and vet every dependency.

Analyst 207
Npm Malware: Shocking Invisible Dependencies Are Dangerous

Npm Malware: Shocking Invisible Dependencies Are Dangerous

Think your npm packages are safe? Recent attacks that slipped malicious code into 126 npm packages — roughly 86,000 downloads — show how invisible dependency changes can cascade into thousands of projects, so token hygiene, 2FA and publish provenance matter more than ever.

Analyst 207
18 Popular Code Packages Rigged to Steal Crypto

18 Popular Code Packages Rigged to Steal Crypto

Think your dependencies are safe? Eighteen popular packages were secretly rigged to siphon crypto—here’s how to spot, avoid, and clean up these sneaky supply‑chain attacks.

Analyst 207
typosquatted npm package: Shocking Dangerous Heist

typosquatted npm package: Shocking Dangerous Heist

A single malicious line in a typosquatted npm package quietly CC’d thousands of Postmark emails to an attacker—turning a routine dependency into a stealthy data leak. It’s a wake‑up call: strong dependency hygiene, provenance checks, and runtime protections are essential to keep outbound messaging safe.

Analyst 207
PyPI packages: Risky SilentSync Alert — Must-Have Fix

PyPI packages: Risky SilentSync Alert — Must-Have Fix

Cybersecurity researchers found two malicious PyPI packages that delivered the SilentSync RAT to Windows machines, enabling remote command execution, file theft and screen capture. Treat your dependency tree like an attack surface—audit packages, pin versions and lock down CI to stop supply-chain intrusions.

Analyst 207
secret-stealing worm: Devastating npm threat Revealed

secret-stealing worm: Devastating npm threat Revealed

A fast‑spreading secret‑stealing worm nicknamed Shai‑Hulud is prowling npm, siphoning hundreds of credentials from developer machines and CI pipelines and turning routine installs into supply‑chain attacks. Act now: rotate exposed tokens, harden CI, and vet dependencies to stop further spread.

Analyst 207
supply chain attack: Stunning Near-Miss, Risky Lessons

supply chain attack: Stunning Near-Miss, Risky Lessons

A fast, coordinated open‑source response helped avert what could have been a massive npm supply‑chain breach, but the near miss raises urgent questions for developers, maintainers and policymakers about dependency hygiene, registry controls and long‑term resilience.

Analyst 207