Supply-Chain

5 posts

Bitwarden CLI Backdoored on npm for 93 Minutes

April 24, 2026

Bitwarden’s CLI was backdoored and pushed to npm on April 22, 2026. It was live for 93 minutes. Every developer who installed it during that window has to …

PHP Composer Command Injection CVE-2026-40261

April 15, 2026

PHP Composer Has Two Flaws That Run Arbitrary Commands on Developer Machines PHP Composer, the package manager that almost every PHP developer uses to build …

/axios-npm-supply-chain-attack/featured-image.png

Axios npm Supply Chain Attack: How a Fake Meeting Compromised 100 Million Downloads

April 4, 2026

Axios, the JavaScript library with over 100 million weekly downloads, was compromised on March 31st. For roughly three hours, every fresh install of those two …

/maliciouscorgi-vscode-extensions/featured-image.png

MaliciousCorgi: The VSCode Attack Hiding in Plain Sight - 1.5 Million Installs Affected

January 25, 2026

Two VSCode extensions with 1.5 million installs are stealing source code right now, not last month. Researchers published their findings on January 22. Three …

Fake SymPy Package Deploys Fileless Cryptominer on Linux Systems

January 22, 2026

A fake SymPy package deploys XMRig cryptominers on Linux machines. The malware hides inside polynomial functions. It only activates when you do math. Over 1,000 …