JavaScript devs beware: this popular NPM package has been compromised by attackers

An extremely popular NPM package used in many JavaScript projects has been compromised and can wreak havoc on your machine if ...

Supply chain attack hits 300 million-download Axios npm package

�� CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls ...
The Hacker News

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad exploits ClickFix and WMI persistence to steal credentials, enabling stealth reinfection after three days.
The Hacker News

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios 1.14.1 and 0.30.4 injected malicious plain-crypto-js@4.2.1 after npm compromise on March 31, 2026, deploying ...
CSO Online

GitHub phishers use fake OpenClaw tokens to drain crypto wallets

Attackers exploit OpenClaw hype with fake “CLAW” airdrops, luring developers from GitHub into wallet-draining phishing sites.

Ai2 releases open-source visual AI agent that can take control of web browsers

Allen Institute for AI, a prominent Seattle-based nonprofit research organization working on advancing artificial ...

Fake VS Code alerts on GitHub spread malware to developers

A large-scale campaign is targeting developers on GitHub with fake Visual Studio Code (VS Code) security alerts posted in the ...

Hackers are using fake coding jobs to spread malware through GitHub

The malware at the center of it, dubbed Omnistealer by investigators, uses public blockchains not just for payments, but as ...
PCMag on MSN

Malware Is Sleeping on the Blockchain, and It's Already Infected Dozens of Global Targets

Experts warn the campaign could outpace past global cyberattacks, with hundreds of thousands of credentials already ...

Bubble AI app builder abused to steal Microsoft account credentials

Threat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building ...

A simple coding mistake is exposing API keys across thousands of websites

A large-scale study has revealed that websites are unintentionally exposing API keys tied to services like AWS, Stripe, and OpenAI, with most leaks traced back to publicly accessible JavaScript files.
InfoWorld

New ‘StoatWaffle’ malware auto‑executes attacks on developers

The newly observed malware abuses VS Code’s “runOn:folderOpen” feature to execute automatically from trusted projects, ...