Skip to main content

Tag: software development security

8 articles

Developer workstation with code on laptop screen and GitHub/npm interface in background.

GitHub Compromise Injects Malicious npm Packages with Wallet-Key-Stealing Code

A malicious actor hijacked a trusted GitHub account and used it to inject wallet-key-stealing code into 18 npm packages, including Injective Labs' SDK, by exploiting the project's pipeline. This sneaky move allowed the attacker to spread the backdoor through a series of seemingly legitimate updates.

Analyst 207
Developer workstation with laptop, notes, and diagrams focused on code security and package management.

GitHub Bolsters npm with Security Updates to Thwart Supply Chain Attacks

GitHub is stepping up its game to protect against supply chain attacks by introducing security updates to npm, aiming to prevent hostile code from running amok during package installation. With the upcoming npm v12, three historically permissive defaults are being flipped to prioritize explicit opt-in over implicit trust.

Analyst 207
Cluttered workstation with laptops, notebooks, and software boxes shows signs of disarray.

Malicious Packages Exploit Realistic Identities

Malicious open source packages are getting smarter, with 91% using realistic identities and naming-variant tactics to blend in with legitimate projects, making them harder to spot. This shift away from simple typosquatting tricks means developers need to be extra vigilant when adding dependencies to their workflows.

Analyst 207
Blurred computer screen surrounded by development materials in a bright, neutral workspace.

Grafana Breach Exposed by TanStack Supply Chain Attack

Grafana Labs revealed that a supply chain attack led to an unauthorized download of its codebase, exposing a vulnerability that allowed attackers to gain access to its GitHub repositories through a missed workflow token. The breach was detected on May 11, with the company swiftly rotating tokens, but unfortunately, one was overlooked.

Analyst 207
Developer workstation with laptop, coding tools, and scattered papers.

GitHub Breach Exposes 3,800 Repositories via Malicious VS Code Extension

GitHub's security chief confirms that customer data remains safe, with no evidence of impact outside of GitHub's internal repositories. The breach originated from a poisoned VS Code extension installed on a compromised employee device, allowing attackers to steal credentials.

Analyst 207
Software development team works at a continuous-integration workstation with laptop and monitor displaying a plugin…

Checkmarx Plugin Sabotaged in Fresh TeamPCP Intrusion

Checkmarx issued a warning on May 9, 2026, that a tampered version of its Jenkins AST plugin had been released on the Jenkins Marketplace, posing a risk to continuous-integration pipelines. The company quickly responded by urging customers to update to a trusted version, 2.0.13-829.vc72453fa_1c16, to safeguard their systems.

Analyst 207
Rows of computer servers in a secure data center with subtle coding hints.

GitHub swiftly patches flaw exposing millions of private repos

GitHub quickly squashed a massive security flaw, CVE-2026-3854, that could have let hackers access millions of private repositories with just one sneaky git push. The vulnerability allowed attackers to inject malicious code by exploiting how GitHub handled user-supplied options during git push operations.

Analyst 207
Masked figure in hoodie sits before laptop with Git repository, surrounded by distorted identity symbols.

AI Code Reviewer Vulnerable to Git Identity Spoofing

Imagine a security system that can be tricked into trusting a foe as a friend with just two lines of code - that's what happened with Anthropic's AI code reviewer, Claude, which was vulnerable to Git identity spoofing. This simple hack allowed researchers to forge a trusted developer's identity and get hostile code approved in no time.

Analyst 207