📰 Incidents récents
Supply Chain
OpenSSF
Wed, 24 Ju
OpenSSF Newsletter – June 2026
June highlighted the high stakes for open source security. The European Open Source Security Forum focused on turning CRA commitments into action, while the Mini Shai-Hulud and Miasma threats underscored the need for strong provenance. Despite these challenges, the community prog
Supply Chain
OpenSSF
Wed, 10 Ju
Mini Shai-Hulud: Where SLSA’s Boundaries Fall
The “Mini Shai-Hulud” attack chained a GitHub Actions workflow misconfiguration, cache poisoning, and OIDC token extraction to publish malicious packages through legitimate CI/CD pipelines.
Supply Chain
DarkReading
Wed, 01 Ju
'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat
LLMs consistently hallucinate Web domains for legitimate brands that attackers can register for malicious activity in a difficult-to-detect attack vector.
Backdoor
DarkReading
Wed, 01 Ju
China-Linked Group Targets Southeast Asia Critical Systems
The group compromised at least 10 regional organizations, including two state-owned entities, and deployed a new backdoor.
Supply Chain
OpenSSF
Tue, 30 Ju
What’s in the SOSS? Podcast #64 – S3E16 The Heartbeat of the Kernel: Why Upstream is the Ultimate Security Strategy with Greg Kroah-Hartman
Supply Chain
OpenSSF
Tue, 23 Ju
Bridging the Gap Between Code and Research: Why SCORED ’26 Matters for Open Source Security
Let’s be completely honest about how we’ve historically handled security research: academia and open source practitioners have basically been living on two different planets. That’s why we created SCORED (the Workshop on Software Supply Chain Offensive and Defensive Research). It
Supply Chain
Snyk Blog
Tue, 23 Ju
What nearly 10,000 developer environments reveal about agentic development risk
AI coding agents are adding a new layer to the software supply chain. Learn what Snyk found in nearly 10,000 developer environments and how to secure the tools, instructions, and permissions behind agentic development.
Package Compromise
Snyk Blog
Tue, 19 Ma
The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised
A day after the AntV npm supply chain attack, the same campaign appears to have struck `durabletask`, a Microsoft-associated Python package on PyPI. Snyk has coverage in the vulnerability database and package health pages. Here's what we know.
Supply Chain
OpenSSF
Tue, 16 Ju
What’s in the SOSS? Podcast #63 – S3E15 Big Thoughts, Open Sources: Driving Enterprise Security and Career Growth Through Open Source with Jamie Thomas (IBM)
Package Compromise
Snyk Blog
Tue, 16 Ju
A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope
A dormant contributor account was used to republish the entire @mastra npm scope, each injected with a single dependency, easy-day-js, that drops a cross-platform cryptocurrency stealer. Here is how the attack worked, how to check exposure, and how to remediate.
Supply Chain
OpenSSF
Tue, 14 Ju
What’s in the SOSS? Podcast #65 – S3E17 Signing the Future: Securing AI and ML Artifacts with Mihai Maruseac
In this episode of What’s in the SOSS?, host Yesenia Yser sits down with Mihai Maruseac (OpenAI) to discuss the OpenSSF Model Signing (OMS) specification, securing the AI/ML supply chain, and establishing a cryptographic chain of custody for models and datasets.
Package Compromise
TheHackerNews
Tue, 14 Ju
148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog.
The packages did not go after the developers who might install them. The oper
Supply Chain
TheHackerNews
Tue, 14 Ju
Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity
Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform.
The way in has been the trust the organization had already extended, usually throu
Supply Chain
DarkReading
Tue, 14 Ju
Manage Vendor Risk in a Few Practical Steps
Risk tolerance, exposure visibility, board oversight — handling third-party risk is complicated but achievable with disciplined, precise governance.
Supply Chain
OpenSSF
Tue, 02 Ju
What’s in the SOSS? Podcast #62 – S3E14 The Ghost in the Dependency Tree: Navigating Open Source End-of-Life with HeroDevs
Supply Chain
Snyk Blog
Tue, 02 Ju
Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection
jqwik 1.10.0 added a hidden prompt injection aimed at AI coding agents, using terminal escape codes to conceal destructive instructions from humans while leaving them readable to logs and tools.
Supply Chain
OpenSSF
Thu, 25 Ju
The CRA Readiness Reality: What Changed (and What Didn’t) Between 2025 and 2026?
In 2025, Linux Foundation Research, Linux Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem
Supply Chain
Snyk Blog
Thu, 18 Ju
The full Snyk AI Security Platform, free for open source maintainers
Open source maintainers are drowning in real vulnerability reports and need help prioritizing, fixing, and shipping remediation faster. Snyk’s Secure Developer Program gives qualifying projects free access to the Snyk AI Security Platform.
Backdoor
TheHackerNews
Thu, 09 Ju
New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.
Each is a different way to break a machine: wipe
Package Compromise
TheHackerNews
Thu, 09 Ju
npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA).
The Microsoft-owned subsidiary noted that the following npm install be
Package Compromise
Snyk Blog
Thu, 04 Ju
Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
A new npm worm is abusing binding.gyp to trigger node-gyp during install, letting malicious packages run code without lifecycle scripts. It steals credentials, persists in GitHub, and self-propagates across maintainers.
Supply Chain
DarkReading
Thu, 02 Ju
Anthropic's AI Finds Bugs. IBM Bets $5B It Can Fix Them.
IBM and Red Hat assign 20,000 engineers to the new Project Lightwell service as Anthropic's Mythos findings ignite debate over how to secure the open source software supply chain.
Supply Chain
Snyk Blog
Sat, 23 Ma
Laravel Lang Supply Chain Advisory
Hundreds of historical Laravel Lang Packagist releases were republished with malicious code, putting Composer installs at risk of credential theft and secret exfiltration.
Package Compromise
TheHackerNews
Sat, 11 Ju
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Li
Package Compromise
Snyk Blog
Mon, 18 Ma
Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account
A compromised npm maintainer account triggered an automated burst of over 300 malicious package versions across 323 packages in the AntV data visualization ecosystem, part of the ongoing Mini Shai-Hulud supply chain worm campaign. Here's what the malware does, how to detect expos
Supply Chain
Snyk Blog
Mon, 15 Ju
The Government Just Banned an AI Model. An Engineer's Perspective.
A government order abruptly took down a powerful AI model, exposing a new kind of supply chain risk for engineering teams. Security leaders need contingency plans before the next model disappears.
Backdoor
DarkReading
Mon, 13 Ju
GigaWiper Lets Threat Actors Choose Their Own Destructive Attack
A modular implant borrows from various malware families to combine both backdoor and wiper activities to maximize impact and minimize operational output.
Supply Chain
DarkReading
Mon, 13 Ju
Turning the Tables on Email Scammers With 'ScamBuster'
An open source, AI-driven system adopts victim personas to engage with phishing attackers, allowing organizations and law enforcement to gather relevant data on cybercriminal operations.
Package Compromise
Snyk Blog
Mon, 01 Ju
Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages
A supply chain worm dubbed Miasma has been found in dozens of @redhat-cloud-services npm releases. The malicious preinstall hook steals credentials, probes cloud identities, and can republish other packages.
Package Compromise
TheHackerNews
Fri, 10 Ju
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
The compromised version, @injectivelabs/sdk-ts@1.20.21,
Backdoor
TheHackerNews
Fri, 10 Ju
Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites.
Far fewer were actually broken into, but the expo
Supply Chain
OpenSSF
Fri, 05 Ju
The “Skyway” to OSS Security: OpenSSF Community Day North America 2026 Recap
The open source community recently gathered in Minneapolis for Open Source Summit North America and OpenSSF Community Day North America 2026. Functioning as a collaborative “Skyway,” the Open Source Security Foundation (OpenSSF) successfully brought together diverse working group