GitHub has confirmed that it is investigating unauthorized access to some of its internal repositories. The company shared ...

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to ...

Sometime around the last week of May 2026, attackers uploaded poisoned packages to three of the most widely used software ...

Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings ...

A new report out today from cybersecurity company Forcepoint LLC’s X-Labs research team details a supply chain attack that ...

Microsoft flagged a Mistral AI hack as a supply-chain attack that hid malware in a fake AI library on PyPI. Here's what ...

Mini Shai-Hulud hit 2 OpenAI devices via TanStack, exposing limited credentials and forcing macOS certificate updates by June ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious ...

In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million ...

For context on how much these can dwarf real installs: at v1 deploy time, one of the seed packages had 2,771 "non-CI" downloads in 30 days under a naïve mirror-and-all-installers query, of which 1,325 ...

Casey Means, nominee for the medical director in the Regular Corps of the Public Health Service and U.S. surgeon general, on Feb. 25 in D.C. (Andrew Harnik/Getty Images) In his March 25 op-ed, “The ...

Casey Means at her Senate confirmation hearing on Feb. 25. (Tom Brenner/AP) President Donald Trump’s nomination of Casey Means to be surgeon general stalled in the Senate this week after a quartet of ...