#supply chain
72 stories taggedsupply chain.
libssh2 Clients Get a Nasty Surprise: PoC Lands for CVE-2026-55200
A malicious SSH server can corrupt memory on any client built against libssh2 1.11.1 or earlier. No creds required.
Supply-Chain Attackers Hide Python Stealer in npm and Go Packages, Sidestep Lifecycle Scripts
JFrog flags two hijacked npm packages and a Go cluster that abuse VS Code tasks to drop a cross-platform infostealer — bypassing the script hooks defenders typically watch.
Amazon Patches CVE-2026-12957 in Q Developer: Malicious Repo Could Drain AWS Credentials via MCP
A workspace-trust prompt was all that stood between a developer and credential theft. Amazon has shipped a fix for the high-severity flaw in its AI coding assistant.
Mini Shai-Hulud Worm Jumps to Go, Hits LeoPlatform and RStreams npm Packages
The self-propagating supply chain campaign tied to Miasma and Hades has spread again — abusing GitHub Actions workflows and now reaching Go modules.
Featured Chrome Ad Blocker with 10M+ Installs Carries Dormant JS Injection Capability
Researchers flagged a Featured-badge extension that can pull and execute remote JavaScript — a capability common to supply-chain abuse clusters tracked across the Chrome Web Store.
AIVEX Triage Model Targets Software Supply Chain Risk in AI Environments
A new framework aims to help security teams prioritize which supply chain vulnerabilities carry the highest operational, safety, and business risk where AI systems are in play.
Cordyceps Flaw Class Hands Attackers the Keys to 300+ GitHub Repos
A newly catalogued CI/CD weakness lets attackers hijack workflows at Microsoft, Google and Apache projects, researchers say.
FFmpeg Vulnerability 'PixelSmash' Threatens Media Applications
A critical flaw in FFmpeg's MagicYUV decoder reveals the fragility of software supply chains.
White House Orders Federal Agencies to Migrate Cryptography by 2030, Signals Contractor Reckoning
Two executive orders set hard federal deadlines for post-quantum cryptography adoption and launch a government-wide quantum R&D program — with ripple effects for every contractor touching federal networks.
Fake Agent Skill Slips Past Every Scanner, Lands on 26,000 AI Agents
A red-team experiment by AIR pushed a booby-trapped skill through a popular marketplace and an Instagram ad. The skill marketplaces' security scanners shrugged.
Three npm Packages Squat PostCSS Names to Drop a Windows RAT
Typosquatted utilities pulled roughly a thousand combined downloads before researchers flagged them. The payload targets Windows developer machines, which is exactly where the credentials live.
Klue Confirms OAuth Token Theft as 'Icarus' Crew Stakes Public Claim
The market intelligence vendor's disclosure adds another name to the lengthening list of Salesforce-adjacent SaaS breaches tied to stolen OAuth credentials.
Salesforce Cuts Klue Battlecards Tie-In After OAuth Token Compromise
The CRM giant pulled the competitive-intelligence app's integration on June 11 following a security incident that exposed connected customer data.
Beats Studio Buds Pick Up Patch for Bluetooth Pairing Flaw Rated 8.8
An Airoha SDK authorization bug let attackers within range pair without consent. Apple has shipped a firmware fix.
The Popa Botnet: When Your $40 Streaming Box Moonlights as a Residential Proxy
Researchers tie a four-year-old Android TV box botnet to NetNut, the residential proxy arm of NASDAQ-listed Alarum Technologies. The company disputes the framing.