A compromised npm package, a stolen maintainer key, and a three-hour window of vulnerability. The [email protected] incident wasn't just a bug; it was a stark reminder that your code's perimeter has expanded.
A pull request pings. Kusari Inspector lights up a hidden vuln in a transitive dep. CNCF's new freebie for projects could rewrite open source security rules.
Two LiteLLM releases yanked from PyPI after hackers hijacked Trivy to steal tokens and inject malware. Open source's dirty secret: your trusted tools might be the weakest link.
Another day, another supply chain scare rippling through open source. GitHub's touting fixes for Actions workflows and npm malware, but who's really winning here?
Npm's supply chain just took another hit—36 malicious packages posing as Strapi plugins, laser-focused on draining Guardarian wallets. Developers, wake up: this isn't random.
npm audit passed the event-stream package 847 times before it stole cryptocurrency wallets. A new Rust-based scanner is changing how developers think about dependency safety.
The React ecosystem is fragmenting in interesting ways this week. While Next.js doubles down on flexibility through a new Adapters API, TanStack is betting on a radically different approach to React Server Components—and Axios just got compromised in a major supply chain attack that should scare you.
Open source adoption is skyrocketing, but here's the catch: nearly half of engineering teams are drowning in maintenance work. A new survey reveals the uncomfortable truth behind the hype.
A comprehensive guide to securing the open source software supply chain, covering SBOMs for transparency, Sigstore for signing, and SLSA for build integrity.