A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious ...

On April 29, 2026, someone slipped malicious code into four widely used SAP software packages. Within days, the infection had ...

When OpenAI engineers discovered that a poisoned update to a widely used JavaScript library had executed on two corporate ...

Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more ...

Microsoft’s GitHub has suffered what appears to be its biggest ever security breach after confirming that attackers ...

The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack ...

Tycoon2FA has returned with new device-code phishing attacks targeting Microsoft 365 users through legitimate OAuth login ...

JavaScriptやReact周辺の開発で広く使われているライブラリ群「TanStack」のnpmパッケージに、攻撃者がマルウェア入りのバージョンを公開するサプライチェーン攻撃が行われました。TanStack公式の事後報告によると、攻撃者は2026 ...

Over 170 TanStack, Mistral AI, OpenSearch, UiPath, and other packages were affected in a new Mini Shai-Hulud supply chain ...

Massive scale attack The "Megalodon" campaign compromised over 5,000 GitHub repositories in 6 hours by weaponizing automated GitHub Actions workflows that execute when developers push code or merge ...

開発者が日常的に使うツールが、最も危険な侵入口になった。GitHubの内部リポジトリが5月18日、不正アクセスを受け、2日後にハッカーグループ「TeamPCP」が、盗んだソースコードをサイバー犯罪フォーラムに売りに出した。侵入口となったのはVS Code拡張機能だ。開発者ツールを悪用した連鎖攻撃で、既存のセキュリティツールでは検知できない“ゼロCVEの死角”を突く――。新しい攻撃の形が、開発者エコ ...