Tag: dependencyhijacking
8 articles

Malicious NuGet Package Exclusive: Critical Stripe Risk
A Malicious NuGet Package targeting Stripe has been uncovered—if your projects use Stripe, find out how this critical risk could expose payments and what immediate steps you should take to secure your builds.

Shai-Hulud v2 Exclusive: Dangerous Spread Exposes Secrets
Shai‑Hulud’s second wave has jumped from npm into Maven, turning trusted packages into a secret‑stealing worm that probes CI and environment tokens and self‑replicates through dependencies. If you build or secure software, now’s the moment to rotate credentials, harden pipelines, and vet every dependency.

Npm Malware: Shocking Invisible Dependencies Are Dangerous
Think your npm packages are safe? Recent attacks that slipped malicious code into 126 npm packages — roughly 86,000 downloads — show how invisible dependency changes can cascade into thousands of projects, so token hygiene, 2FA and publish provenance matter more than ever.

18 Popular Code Packages Rigged to Steal Crypto
Think your dependencies are safe? Eighteen popular packages were secretly rigged to siphon crypto—here’s how to spot, avoid, and clean up these sneaky supply‑chain attacks.

typosquatted npm package: Shocking Dangerous Heist
A single malicious line in a typosquatted npm package quietly CC’d thousands of Postmark emails to an attacker—turning a routine dependency into a stealthy data leak. It’s a wake‑up call: strong dependency hygiene, provenance checks, and runtime protections are essential to keep outbound messaging safe.

PyPI packages: Risky SilentSync Alert — Must-Have Fix
Cybersecurity researchers found two malicious PyPI packages that delivered the SilentSync RAT to Windows machines, enabling remote command execution, file theft and screen capture. Treat your dependency tree like an attack surface—audit packages, pin versions and lock down CI to stop supply-chain intrusions.

secret-stealing worm: Devastating npm threat Revealed
A fast‑spreading secret‑stealing worm nicknamed Shai‑Hulud is prowling npm, siphoning hundreds of credentials from developer machines and CI pipelines and turning routine installs into supply‑chain attacks. Act now: rotate exposed tokens, harden CI, and vet dependencies to stop further spread.

supply chain attack: Stunning Near-Miss, Risky Lessons
A fast, coordinated open‑source response helped avert what could have been a massive npm supply‑chain breach, but the near miss raises urgent questions for developers, maintainers and policymakers about dependency hygiene, registry controls and long‑term resilience.