A poisoned npm package infected 140+ projects with a hidden payload. This report highlights how to detect, hunt, and defend ...

Meteor CTO Henrique Schmaiske led the framework's largest release in over a decade, removing Fibers and migrating to async/await across 2,300 commits while keeping 500,000+ active installations stable ...

Tampered JavaScript in three Awesome Motive plugins exposed WordPress sites to rogue admin accounts and hidden backdoors.

ClickFix attacks are delivering BabaDeda, Lorem Ipsum, and Potemkin loaders to deploy stealers, RATs, and ransomware-linked ...

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based ...

July 2026, blocking install scripts, Git dependencies, and remote URL sources by default. Every team running npm install in ...

There's another likely North Korean-linked scam hitting developers and their employers, while snarfing up credentials and ...

VoidZero's toolchain, anchored by Vite, has emerged as the shared substrate for the web ecosystem, capturing over 130 million weekly downloads. The Cloudflare Vite plugin has reached 13.9 million ...

Acquisition brings Vite, the world’s leading JavaScript build tool, and its core open source team to Cloudflare Cloudflare commits $1 million to an independent Vite ecosystem fund to support open sour ...

Miasma compromised 32 Red Hat packages June 1 via a hijacked CI/CD pipeline producing valid SLSA attestations, then hit 57 more June 3 using Phantom Gyp to evade install monitors. Red Hat confirmed no ...

If reinstalling software feels repetitive, these tools have some ideas.

As search becomes increasingly dominated by AI summaries and commercial content, people are experimenting and coming up with ways to make the web feel more human like it used to, building everything ...