Follow for the latest updates and insights on open source security & engineering.
The popular npm package `nx` was compromised, targeting Linux and macOS developers. Malicious versions included a postinstall script that stole credentials, exfiltrated sensitive files, and added destructive commands to shell configs, causing system shutdowns and data leaks.
A malicious NPM package targeting TensorFlow users was discovered on npm. The package uses typosquatting to target the popular `tensorflow` package.
Multiple malicious Python packages targeting crypto developers and their applications using typosquatting were discovered on PyPI. The packages were used to steal funds by executing a stealthy staking operation.
PEP 723 introduces inline metadata for Python scripts, making tools like `uv` more convenient—but also potentially more dangerous. This post explores security pitfalls when dependencies are declared inside code files.
AI coding agents make development faster but can inadvertently introduce security risks by suggesting unvetted packages. Learn how to use vet MCP server for adding security to your vibe coding adventures.
A supply chain attack exploiting eslint-config-prettier and other popular npm packages were discovered with major supply chain impact. In this blog, we will explore the details of the hack and the impact it had on the npm ecosystem.
Secure your projects