Days after IBM and Red Hat announced a master security plan for open-source software, Red Hat suffers a major breach of its ...

SVG phishing email attacks are bypassing enterprise email security gateways by hiding JavaScript inside image files and ...

With the rise of AI coding assistants continuing apparently unabated, some project maintainers have begun striking back. Ars Technica reports on projects putting hostile directions into the ...

A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. The ...

A widely active phishing-as-a-service (PhaaS) operation known as FlowerStorm has begun using a browser-based virtual machine to conceal credential theft code, marking what researchers say is an ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

Ghostwriter used Prometheus lures since spring 2026 to target Ukraine agencies, enabling malware delivery and data theft.

The Mini Shai-Hulud malware campaign continues to slither its way through the software supply chain, rearing its malicious head in a fresh wave of compromised npm packages and artifacts, mainly those ...