The OWASP-backed tool scans JavaScript and TypeScript lockfiles locally, aiming to help developers catch and remediate dependency risks before CI failures.

The Shai-Hulud supply-chain malware campaign is exploiting the automated systems developers trust to publish software safely.

CNCF graduation, Microsoft tooling updates and cloud-provider support show broader OpenTelemetry adoption across developer platforms.

A desktop app that lets users stream any movie, TV series, or anime for free and without ads hit the top of GitHub’s global ...

North Korea-linked hackers have upgraded the InvisibleFerret malware to bypass script-based security tools, converting its Python code into compiled modules that are harder for defenders to inspect ...

Massive scale attack The "Megalodon" campaign compromised over 5,000 GitHub repositories in 6 hours by weaponizing automated GitHub Actions workflows that execute when developers push code or merge ...

Google recently published – and then quickly hid – a potentially dangerous bug found in the Chromium web browser. The ...

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the graduation of OpenTelemetry, a vendor-neutral, open source ...

OpenAI confirms a severe 2026 supply chain attack compromised internal repositories. Discover how this TanStack security ...

The malware employs ecosystem-specific techniques for execution. On npm, many packages use post-install hooks to deploy a comprehensive JavaScript payload ...

A coordinated malware campaign known as TrapDoor has hit software ecosystems widely used by crypto and blockchain developers.

TanStack has released a detailed postmortem describing a sophisticated supply-chain attack that compromised 42 npm packages ...