Open Source

13-year-old RCE vulnerability in Apache ActiveMQ Classic discovered via AI analysis.

Seven vulnerabilities patched in OpenSSL, including moderate-severity data leakage flaw.

13-year-old RCE vulnerability in Apache ActiveMQ Classic can be chained with authentication bypass flaw.

Malicious .pth file discovered in litellm v1.82.8 PyPI package executes on Python startup.

Tech giants launch Project Glasswing, an AI initiative to identify critical software vulnerabilities before malicious

Max-severity RCE vulnerability CVE-2025-59528 in Flowise AI platform actively exploited.

Critical Flowise RCE vulnerability CVE-2025-59528 exploited in the wild, affects 12,000+ instances.

Flowise AI platform CVE-2025-59528 (CVSS 10.0) RCE under active exploitation; 12,000+ instances exposed.

AI-assisted supply chain attack targets GitHub users via automated misconfiguration exploitation.

Axios NPM package targeted in scaled social engineering attack on open source maintainers.

TeamPCP compromised LiteLLM PyPI packages to inject infostealer malware targeting developer credentials.

36 malicious NPM packages posing as Strapi plugins targeted Guardarian users.

North Korean UNC1069 targets Node.js maintainers with social engineering to compromise NPM packages.

North Korean UNC1069 compromised Axios npm maintainer via social engineering to publish malicious package versions.

UNC1069 targets Node.js maintainers via fake LinkedIn/Slack profiles to compromise npm packages.

AI firm Mercor confirms breach linked to LiteLLM supply chain attack; Lapsus$ claims 4TB stolen data.

UNC1069 social engineered Axios npm maintainer to publish trojanized package versions.

CVE-2026-5027: Langflow path traversal vulnerability enables remote code execution.

Threat actors exploit Claude Code source leak via fake GitHub repos to distribute Vidar infostealer malware.

Elastic Security Labs open-sources AI-powered supply chain monitoring tool that detected Axios npm compromise.

Threat actor compromises Axios npm package with stolen credentials, deploys ZshBucket malware.

FUD Linux malware sample discovered and shared for analysis.

Axios npm packages compromised by North Korean Sapphire Sleet with second-stage RAT deployment.

WordPress ecosystem plugins patched for multiple medium/critical vulnerabilities in March 2026.

Sigma detection rules published for Axios npm package compromise incident.

Anthropic's Claude Code source leaked via npm packaging error, triggering typosquat attacks.

Anthropic accidentally leaked Claude Code source code via NPM package due to misconfigured build artifact.

TeamPCP compromises Trivy, KICS, LiteLLM, and Telnyx SDK in multi-stage supply chain attack.

Axios NPM package compromised in precision attack, possibly by North Korean actors.

Malicious npm package 3-ways-how-to-get-free-gems-in-clash-of-clans834 removed after supply chain attack detected.

Axios npm package compromised via backdoored maintainer account delivering cross-platform RAT.

Compromised npm maintainer published malicious Axios versions with multi-platform implants.

Hacker compromised axios npm account and published malware-laden versions with 600K downloads.

Elastic Security Labs detects Axios npm supply chain attack affecting multiple platforms.

Axios npm package hijacked to deliver cross-platform RATs to 100M+ weekly users.

Axios npm package compromised in supply chain attack, exposing 100M weekly downloads to RAT malware.

Four chained vulnerabilities in CrewAI allow sandbox escape and arbitrary code execution via prompt injection.

Malicious axios npm versions 1.14.1 and 0.30.4 inject dropper dependency to fetch platform-specific payloads.

Integer underflow in StrongSwan EAP-TTLS parser allows unauthenticated remote DoS.

Axios npm package compromised via stolen credentials to deliver cross-platform RAT.

15-year-old strongSwan integer underflow bug lets attackers crash VPNs via EAP-TTLS.

TeamPCP compromises Telnyx Python SDK with malicious versions on PyPI targeting Windows, macOS, Linux.

TeamPCP injects malicious code into Telnyx Python SDK versions to steal credentials and crypto keys.

File read flaw in Smart Slider 3 WordPress plugin affects 500K sites via missing capability checks.

BeamMP mod for BeamNG Drive compromised and distributed malware to users.

Attackers hijacked Trivy, npm, and LiteLLM packages in multi-stage supply chain campaign.

TeamPCP compromises Telnyx PyPI package with credential-stealing malware hidden in WAV files.

TeamPCP threat actor executes 50+ supply chain attacks across open-source packages in 8 days.

TeamPCP compromises telnyx PyPI package with stealer malware hidden in WAV files.

Telnyx PyPI package versions 4.87.1 & 4.87.2 compromised in TeamPCP campaign using WAV steganography.