The ubiquitous Python library elementary-data has emerged as a conduit for the exfiltration of sensitive developer telemetry. The compromised iteration infiltrated not only the PyPI repository but also the project’s official Docker images, causing...
The recent subjugation of a ubiquitous Python library dedicated to communications has starkly illuminated the profound fragility inherent within the open-source supply chain. Venomous architecture was surreptitiously woven into the official Telnyx Python SDK—a...
The compromise of a widely utilized library for artificial intelligence projects has escalated into a crisis far more profound than a mere data breach. The syndicate known as TeamPCP has proclaimed the genesis of...
Yet another devastating supply chain bombardment has struck at the heart of ubiquitous developmental instruments. On this occasion, digital marauders surreptitiously injected malignant code into the GitHub Action of Checkmarx’s KICS project—a sovereign architecture...
Security analysts at Socket have unmasked a surgical supply chain incursion targeting the libraries associated with the dYdX cryptocurrency exchange. Malicious iterations of client packages manifested simultaneously within the npm and PyPI repositories following...
A malicious software package masquerading as a ubiquitous library for symbolic mathematics has been identified within the official PyPI repository. Orchestrators of this campaign meticulously replicated the description of the legitimate project to present...
GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages, Go modules, GitHub actions, or VSCode extensions. It runs a set of heuristics on the package source code (through Semgrep...
Experts from Zscaler ThreatLabz have uncovered two malicious packages in the PyPI repository that, upon installation and import, secretly deploy the SilentSync Python trojan—a threat capable of seizing control of developer environments and exfiltrating...
Experts at Straiker have reported the discovery of a new tool called Villager, which since its release in July has been downloaded nearly 10,000 times from the official PyPI repository. Marketed as a client...
The developers of the Python Package Index (PyPI) have announced the introduction of a new email domain verification mechanism aimed at curbing attacks that exploit expired domains and reducing the risk of package compromise....
In the first half of 2025, Sonatype uncovered a large-scale, ongoing assault on the open-source software ecosystem, orchestrated by the North Korean threat actor known as Lazarus. Sonatype’s automated malware detection systems were the...
A new threat has emerged in the realm of AI-assisted programming, known as “slopsquatting.” This attack has become particularly dangerous amid the surging popularity of AI coding assistants like Claude Code CLI, OpenAI Codex...
