A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack affecting developer ecosystems, including packages tied to UiPath, ...

Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.

OpenAI says no user data was accessed in the TanStack npm compromise: two corporate laptops, some credentials, and a forced macOS update.

An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a ...

Attackers compromised the official Mistral AI Python package on PyPI along with hundreds of other widely-used developer packages, exposing GitHub tokens, cloud credentials, and password vaults across ...

Microsoft’s GitHub has suffered what appears to be its biggest ever security breach after confirming that attackers ...

OpenAI confirmed that two employee devices were compromised, but found no evidence that user data, production systems, or ...

Microsoft says attackers compromised the mistralai PyPI package with malware that executed on import, while researchers link ...

A poisoned open-source dependency let attackers breach two OpenAI employee devices and steal credentials from a limited set of its internal source code repositories, OpenAI confirmed in a May 14, 2026 ...

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...

Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a ...