Open Source

Malicious postinstall hooks discovered across 700+ GitHub repos targeting PHP and Node.js packages via Packagist.

CISA adds Drupal core SQL injection vulnerability CVE-2026-9082 to KEV catalog

AI-generated packages surge exponentially on npm, reshaping open source production and consumption.

GitHub breach of 3,800 repos linked to malicious Nx Console extension in TanStack npm supply-chain attack

Socket raises $60M Series C at $1B valuation to defend software supply chains against AI-era attacks.

Shai-Hulud campaign injects malware into 600+ npm packages to steal developer credentials.

Leaked Shai-Hulud malware deployed in four malicious npm packages by threat actor.

Shai-Hulud worm clones emerge days after source code release on GitHub.

Grafana confirms source code theft via compromised GitHub token; rejects ransom demand.

Funnel Builder WordPress plugin vulnerability exploited to inject payment card skimmers.

TeamPCP releases Shai-Hulud worm source code on GitHub, fueling supply chain attacks with monetary rewards.

TeamPCP hackers demand $25K for stolen Mistral AI source code via supply-chain compromise.

Lightning AI allegedly breached; internal codebase and PyTorch Lightning project files exposed.

Stealer backdoor discovered in 3 node-ipc npm package versions targeting developer credentials.

18-year-old NGINX heap buffer overflow vulnerability allows DoS and potential RCE.

PraisonAI CVE-2026-44338 auth bypass exploited within hours of disclosure

TeamPCP and BreachForums launch $1,000 contest rewarding supply chain attacks on open source packages.

TanStack supply chain attack compromises Mistral AI SDK packages on npm and PyPI

Mistral AI confirms impact from TanStack supply chain attack.

Threat actors publish malicious RubyGems packages with scrapers targeting UK government servers.

Critical Exim mail server flaw CVE-2026-45185 allows unauthenticated remote code execution via TLS handling.

TeamPCP poisoned 400+ npm and PyPI packages with Mini Shai-Hulud self-propagating worm via hijacked OIDC tokens.

Composer vulnerability exposed GitHub Actions tokens in CI logs due to token format validation regex mismatch.

GemStuffer campaign abuses 150+ RubyGems packages to exfiltrate U.K. council portal data.

RubyGems suspends new registrations after 500+ malicious packages uploaded in attack.

Mini Shai-Hulud malware compromises hundreds of open-source packages across major registries in supply-chain attack.

Exim BDAT use-after-free vulnerability (CVE-2026-45185) enables RCE in GnuTLS builds.

Shai-Hulud Git worm malware code publicly released on GitHub.

RubyGems suspends signups after 500+ malicious packages uploaded in coordinated attack.

Hugging Face tokenizer files can be manipulated to hijack AI model outputs and exfiltrate data.

Shai-Hulud campaign compromises 160+ npm packages with credential-stealing malware via OIDC token hijacking.

Hundreds of npm packages infected by self-propagating worm targeting TanStack ecosystem.

TeamPCP compromises 170+ npm/PyPI packages in Mini Shai-Hulud supply chain attack.

Shai Hulud malware discovered in additional compromised MistralAI NPM packages for GCP and Azure.

TeamPCP compromises npm/PyPI packages from TanStack, Mistral AI, Guardrails AI via Mini Shai-Hulud worm campaign.

Zscaler discovers malicious AI skill posing as ByteDance Doubao CLI in OpenClaw ecosystem.

Fake OpenAI Privacy Filter repo on Hugging Face delivers Rust infostealer, hits #1 trending with 244K downloads.

BADC private git repository allegedly breached and leaked by threat actor.

Critical out-of-bounds read in Ollama allows remote memory leak affecting 300K+ servers.

Malicious Hugging Face repository impersonating OpenAI's Privacy Filter delivers infostealer malware.

Gemini CLI vulnerability allowed prompt injection to enable supply chain attacks via GitHub issues.

Nimrod Stealer source code leaked on hacking forum for credential theft.

Critical vm2 sandbox escape vulnerability (CVE-2026-26956) allows arbitrary code execution on host systems.

OceanLotus deploys ZiChatBot malware via malicious PyPI packages targeting Windows and Linux.

Critical heap out-of-bounds read in Ollama exposes 300K deployments to unauthenticated information theft.

MetInfo CMS CVE-2026-29014 actively exploited for unauthenticated remote code execution

Malicious PyTorch Lightning v2.6.3 on PyPI deploys credential-stealing JavaScript payload.

Researchers reveal 20-year-old PostgreSQL flaws in pgcrypto at Wiz ZeroDay.Cloud event.

PoC released for CVE-2026-41940, cPanel/WHM authentication bypass vulnerability.

Threat actors poison SAP npm packages to steal developer credentials in supply chain attack.