Tag: supply-chain

Malware Security Announcements AI Engineering Technology Open Source SCA Compliance & SBOM CI/CD

Malware

PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI

PyPI yanked PyTorch Lightning versions 2.6.2 and 2.6.3 after both embedded a two-stage credential-stealing payload. Any import of the library spawns an 11MB obfuscated JavaScript worm identical to...

Malware

Malicious redeem-onchain-sdk npm Targets Crypto Wallets

redeem-onchain-sdk impersonates a Polymarket helper SDK and exfiltrates SSH keys, AWS credentials, npm tokens, Docker configs, Chrome saved logins, and a month of local git history to an AWS-hosted...

Announcements

PMG dependency cooldown: wait on fresh npm versions

Package Manager Guard (PMG) blocks malicious installs and now supports dependency cooldown, a configurable window that hides brand-new npm versions during resolution so installs prefer older,...

Malware

Mini Shai Hulud and SAP Compromise

Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated...

Malware

ixpresso-core: Windows RAT Disguised as a WhatsApp Agent

ixpresso-core poses as an AI WhatsApp agent on npm but installs Veltrix, a Windows RAT that steals browser credentials, Discord tokens, and keystrokes via a hardcoded Discord webhook.

Malware

forge-jsx npm Package: Purpose-Built Multi-Platform RAT

forge-jsx poses as an Autodesk Forge SDK on npm. On install it deploys a system-wide keylogger, recursive .env file scanner, shell history exfiltrator, and a WebSocket-based remote filesystem...