Tag: software supply chain

black samsung flat screen computer monitor
Security

10,000 cloned GitHub repos are delivering LuaJIT loaders — why engineering teams must stop trusting repo search results

A coordinated campaign has spun up roughly 10,000 fake GitHub repositories that clone real projects’ histories while swapping in malicious ZIP links and AI-written READMEs. Engineering teams, dependency scanners, and security ops need to treat repository search results and automated dependency pulls as potential attack surfaces, not trusted signals. Organized supply-chain mimicry, not random uploads […]

admin 
a computer on a desk
Security

Not in axios’s source — a hijacked maintainer account pushed a phantom dependency that installed a cross‑platform RAT

On March 31, 2026, attackers used a hijacked npm maintainer account to publish poisoned axios releases that exercised npm’s install lifecycle, not by altering axios source code but by adding a phantom dependency (plain-crypto-js@4.2.1) whose postinstall hook deployed a cross‑platform remote access trojan (RAT). The publication used stolen long‑lived npm tokens to bypass GitHub Actions […]

admin 
Laptop displaying code with a coffee mug nearby.
Security

TeamPCP’s Telnyx Compromise: credential-based, steganographic backdoor in PyPI releases

On March 27, 2026 the Telnyx Python SDK on PyPI was backdoored by the actor known as TeamPCP using stolen maintainer credentials — not typosquatting. Malicious code landed only in telnyx/_client.py inside published releases 4.87.1 and 4.87.2 (no corresponding GitHub tags or releases), and the package’s ~700,000 monthly-download footprint made the trojanized SDK a high-value […]

admin