Packagist packages hid malicious package.json scripts, enabling Linux binary execution during installs and workflows.

Ghost CMS flaw CVE-2026-26980 enabled attacks on 700+ sites, injecting ClickFix malware through fake CAPTCHA pages.

Danielle Smith has put in motion an October referendum on whether Alberta should proceed toward a subsequent binding ...

Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771 ...

Attackers are increasingly abusing Microsoft’s legacy MSHTA utility to silently deliver malware, stealers, and persistent ...

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...

North Korea-linked hackers have upgraded the InvisibleFerret malware to bypass script-based security tools, converting its Python code into compiled modules that are harder for defenders to inspect ...

Toronto City Council has voted against a motion asking Ontario to hold a referendum to measure support for the proposed ...

Automatic cleaners only know about a fixed set of cache folders, and the decisions they make are limited to what they were preprogrammed for. ApexDisk finds and surfaces everything else they skip: ...

A desktop app that lets users stream any movie, TV series, or anime for free and without ads hit the top of GitHub’s global ...

Google’s Project Zero demonstrates a new zero-click exploit for the Pixel 10 phones, showing a full escalation from remote to kernel without user interaction. During the investigation Project Zero ...

“He is one of the most selfless, sensitive, and generous people I know!” she wrote of the man now accused of murdering her. Brooklyn police arrested 38-year-old Jonathan Fernandez for allegedly ...