A malicious version of the Bitwarden command-line interface (CLI) password manager was briefly distributed via the Node ...

The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects.

Fake SSA email urges downloads with urgent warning. Learn key red flags and how to protect your data before it’s too late.

UNC6692 has been attributed to a large email campaign that's designed to overwhelm a target's inbox with a flood of spam ...

TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer ...

Three supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, 2026. All three targeted secrets: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD ...

ESET Research has discovered a new China-aligned APT group that we’ve named GopherWhisper, which targets Mongolian ...

Fake Antigravity downloads are enabling fast account takeovers using hidden malware and stolen session cookies.

Not nearly as polite as the name suggests, the ransomware gang has impressed researchers with its speed in scaling up ...

Self-propagating npm worm steals tokens via postinstall hooks, impacting six packages and expanding supply chain attacks.

North Korean hackers used AppleScript and ClickFix in recent attacks targeting macOS systems at financial organizations.

Fake packages aim to steal data, credentials, and secrets, and to infect every package created using them, in what could be ...