Supply chain attackers have hijacked at least two npm packages and a cluster of Go modules, repurposing them to silently deploy a Python-based information stealer on developer machines running Windows
A new supply chain campaign called **Shai-Hulud** has compromised 19 science-focused packages on the Python Package Index, [according to BleepingComputer](https://www.bleepingcomputer.com/news/securit
A working exploit for an unpatched Visual Studio Code vulnerability is now public, and it does something particularly damaging: steal GitHub authentication tokens with a single click from the victim.
Security researchers at OX Security have [identified a malicious package on the npm registry](https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html) named **`mouse5212-super-fo
This week's dominant story isn't a zero-day in enterprise software — it's developers themselves becoming the attack surface, their tools weaponized before a single line of production code is touched.