Packagist Attack Hid Malware in package.json — 8 PHP Packages Hit
Eight Packagist PHP packages including devdojo/wave were compromised via a postinstall script hidden in package.json. Check if you’re affected and rotate credentials now.
NVIDIA Verified Agent Skills: SkillSpector and Skill Cards (2026)
NVIDIA launched Verified Agent Skills on May 22. Here is what SkillSpector scans for, how ...
Bedrock AgentCore: Persistent Filesystems for AI Agents (2026)
Amazon Bedrock AgentCore Runtime now supports bring-your-own S3 and EFS filesystems. Here is what changed, ...
TeamPCP Supply Chain Attack: How npm Poisoned GitHub
TeamPCP's three-stage supply chain cascade hit TanStack, Nx Console, and GitHub's 3,800 repos in 6 ...
JFrog 2026: Supply Chain Surge 451% — AI Now a Vector
JFrog’s 2026 report finds malicious npm packages up 451%, with AI agent skills and Hugging ...
vm2 Node.js Sandbox Escape: 13 Critical CVEs, Two Unpatched
vm2 — the Node.js library with 1.5 million weekly downloads used to run untrusted JavaScript safely — just had 13 critical vulnerabilities disclosed. ...
Exchange Zero-Day CVE-2026-42897: One Email Owns Your OWA
An attacker sends one email. The victim opens it in Outlook Web Access. No attachment, ...
Laravel-Lang Supply Chain Attack: 700 Repos Poisoned — Rotate Now
A supply chain attack rewrote 233 Laravel-Lang Composer package versions via Git tag manipulation. If ...
Quasar Linux RAT Targets Developer Credentials: Check Now
The QLNX Linux RAT targets developer dotfiles — npm tokens, AWS keys, kubeconfig — with ...
Cloudflare Flagship: Feature Flags Without Latency
Cloudflare Flagship evaluates feature flags inside your Worker via a native binding—no HTTP round-trip, no ...