Microsoft

Malicious npm packages abuse dependency confusion to profile developer environments

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and ...
Morning Overview on MSN

A malicious npm package codenamed 'Malware-Slop' just surfaced hunting the files inside Anthropic’s Claude AI — snatching anything a user uploads into the chatbot

A rogue npm package called “Malware-Slop” has been flagged by security researchers for targeting developers who build on top ...
USA Today

Toyota Tacoma transmission problems identified in 2024 model, company admits

If you frequently visit Toyota forums, then you probably noticed that a not insignificant number of owners of the new 2024 Toyota Tacoma have been complaining about transmission gremlins. It seems ...

Perplexity launches Bumblebee: How its new read-only dev scanner differs from Chainguard

Perplexity launches Bumblebee: How its new read-only dev scanner differs from Chainguard ...
Tech Times

npm Supply Chain Attacks Hit GitHub: 2FA Approval Gate Now Blocks Stolen CI Tokens

GitHub’s internal repositories — now staged publishing in npm 11.15.0 requires a human 2FA approval before any package goes ...
InfoQ

NodeJS Proposes Built-In Virtual File System, Sparking Debate over AI-Generated Contributions

Matteo Collina has proposed a Virtual File System (VFS) for Node.js core through the node:vfs module. The proposal includes about 19,000 lines of code and addresses common workflow challenges. While ...
InfoWorld

As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free

The OWASP-backed tool scans JavaScript and TypeScript lockfiles locally, aiming to help developers catch and remediate dependency risks before CI failures.