Threat actors have seeded GitHub with weaponized proof-of-concept exploit repositories that silently install a Python-based remote access trojan called ChocoPoc, [according to BleepingComputer](https:
A public proof-of-concept exploit has dropped for [CVE-2026-55200](https://thehackernews.com/2026/06/public-poc-released-for-critical.html), a critical memory-corruption vulnerability in libssh2. The
Supply chain attackers have hijacked at least two npm packages and a cluster of Go modules, repurposing them to silently deploy a Python-based information stealer on developer machines running Windows
Security researchers have documented a working attack technique in which a GitHub repository appears entirely clean — passing both automated security scans and human code review — yet executes a malic
Cybersecurity researchers have confirmed a new wave of the Miasma supply chain campaign — linked to the same threat actor behind the Mini Shai-Hulud and Hades malware families — that has [compromised
Polymarket, one of the largest prediction market platforms, [disclosed on June 25](https://techcrunch.com/2026/06/25/polymarket-says-hackers-stole-users-funds/) that hackers stole funds from user acco
Attackers have compromised ShapedPlugin's plugin update delivery infrastructure, pushing malware-laced releases directly to WordPress sites through the vendor's own official update system. [Multiple S
Palo Alto Networks Unit 42 disclosed a supply-chain-style vulnerability in the [Google Cloud Vertex AI SDK for Python](https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html) t
At least 15 malicious plugins on the official [JetBrains Marketplace](https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/) were si
The White House's weekend order forcing Anthropic to cut off international access to its newest AI models landed on a day the U.S. was celebrating two sports championships — but inside the AI industry
Three widely-deployed WordPress plugins — **PushEngage**, **OptinMonster**, and **TrustPulse** — had their JavaScript assets silently tampered with by an attacker, turning trusted plugin files into a
The SpaceX IPO closed Friday as the defining financial event of the year, while a major Linux supply-chain attack and a government-ordered AI model suspension kept security and AI desks equally busy.
Attackers this week compromised more than 400 packages in the [Arch User Repository (AUR)](https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html), rewriting their `PKGBUILD` scripts
Enterprise breach claims, leaked attack-framework source code, and a CrowdStrike finding that North Korean operators are behind roughly half of all US tech-sector attacks converged to make security th
A self-replicating worm called **Miasma** has been confirmed active inside Microsoft's GitHub presence, hitting 73 repositories across four organizations: **Azure**, **Azure-Samples**, **Microsoft**,
Yesterday's security feed delivered a trio of attacks that weaponize trust — in software distribution, in payment processors, and in password managers — while the NSA reportedly put an Anthropic AI mo
More than 30 npm packages under Red Hat's `@redhat-cloud-services` namespace were compromised in a confirmed supply-chain attack, [per BleepingComputer](https://www.bleepingcomputer.com/news/security/
A supply chain attack campaign dubbed **Miasma** has compromised dozens of packages published under Red Hat's official `@redhat-cloud-services` npm organization, injecting a credential-stealing, self-
A developer has deliberately embedded a hidden prompt injection into **jqwik**, a widely-used Java property-based testing library, instructing AI coding agents to silently delete application output wh
A credential-stealing malware campaign is actively targeting Laravel developers through a supply chain attack on the **Laravel Lang** family of localization packages. According to [BleepingComputer](h
Supply-chain compromise has moved from targeted espionage tool to volume business — and a single group is now responsible for an attack pace that package maintainers and platform operators alike are s
The security industry's deepest anxiety — that the tools meant to protect you are themselves the threat — surfaced across multiple stories in recent days, and none of them were subtle.
The same trust model that makes open-source package ecosystems productive has made them a reliable attack surface — and recently that surface expanded to include the AI/ML toolchain itself.
The breach of 3,800 GitHub internal repositories didn't start with a phishing email or a brute-forced credential — it started with a VS Code extension, making this a case study in how deeply supply-ch
Package registries and mail servers — two of the most trusted components in the modern stack — are being weaponized faster than defenders can respond, and the tactics have matured well past hiding mal
This week's most consequential incidents share a structural pattern that should make every security team uncomfortable: the infrastructure defenders rely on to establish trust — code-signing authoriti
The most interesting AI story this week isn't a model release — it's a pair of founders turning down $20 million and betting the open-source agent wave hasn't crested yet.
This week's dominant story isn't a zero-day in enterprise software — it's developers themselves becoming the attack surface, their tools weaponized before a single line of production code is touched.
The dominant story this week is Google's attempt to become the AI layer for everything — but the more unsettling subplot involves compromised infrastructure, an expanding surveillance state, and a run
Supply chain compromises dominated this week, with developer tools, CI workflows, and npm packages falling in overlapping campaigns — while separately, a wave of active exploitation hit network infras
Two threads dominated this week's security landscape: AI systems proving they can find vulnerabilities faster and more reliably than most human researchers, and the humans responsible for protecting c