According to Socket, malicious payment SDK packages on npm and PyPI are harvesting developer credentials and CI/CD ...
A campaign active since last November has been targeting Python developers building Telegram bots with trojanized Pyrogram ...
Every Python developer knows some or all of these libraries, because they’re stable, reliable, and excellent at what they do.
Vienna, Austria, June 25, 2026 — digna, the European data quality and observability platform, today announced the release of digna 2026.06, introducing a new Python SDK and Docker deployment support ...
Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, ...
Abstract: The rapid growth of open-source ecosystems such as PyPI has significantly increased the risk of malicious packages infiltrating and affecting the software supply chains. Attackers often ...
On May 11, 2026, a self-replicating worm called Mini Shai-Hulud quietly slipped into 42 widely used TanStack open-source packages, corrupting 84 npm artifacts before anyone noticed. Within hours, the ...
Any development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer ...
Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, ...
Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a ...
GitGuardian has disclosed a new software supply chain attack campaign, dubbed GhostAction, that exfiltrated thousands of sensitive credentials before being detected and contained on September 5. The ...