GhostAction Attack Steals 3,325 Secrets from GitHub Projects
GhostAction supply chain attack hit 817 GitHub repositories, stealing 3,325 secrets including npm, PyPI, and DockerHub tokens.
PyPI
PyPI maintainers alert users to email verification phishing attack
PyPI warns of phishing emails from noreply@pypj[.]org posing as “[PyPI] Email verification” to redirect users to fake package sites. PyPI warns of an active phishing attack using fake “[PyPI] Email verification” messages from noreply@pypj[.]org, aiming to lure users to spoofed PyPI sites. PyPI, short for the Python Package Index, is the official repository for Python […]
Open source has a malware problem, and it’s getting worse
Sonatype has published its Q2 2025 Open Source Malware Index, identifying 16,279 malicious open source packages across major ecosystems such as npm and PyPI. This brings the total number of malware packages discovered by the company to 845,204. Compare…
Backdoors in Python and NPM Packages Target Windows and Linux
Checkmarx uncovers cross-ecosystem attack: fake Python and NPM packages plant backdoor on Windows and Linux, enabling data theft plus remote control.
Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users
ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers…
PyPI Packages Found to Expose Thousands of Secrets
GitGuardian discovered roughly 4,000 secrets in nearly 3,000 PyPI packages, including Azure, AWS, and GitHub keys.
The post PyPI Packages Found to Expose Thousands of Secrets appeared first on SecurityWeek.
FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data
By Waqas
There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals.
This is a post from HackRead.com Read the original post: FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing D…
PyPI enforces 2FA authentication to prevent maintainers’ account takeover
PyPI is going to enforce two-factor authentication (2FA) for all project maintainers by the end of this year over security concerns. Due to security concerns, PyPI will be mandating the use of two-factor authentication (2FA) for all project maintainers by the end of this year. Over the past few years, there has been a rise […]
The post PyPI enforces 2FA authentication to prevent maintainers’ account takeover appeared first on Security Affairs.
PyPI Enforcing 2FA for All Project Maintainers to Boost Security
PyPI will require all accounts that maintain a project to enable two-factor authentication (2FA) by the end of 2023.
The post PyPI Enforcing 2FA for All Project Maintainers to Boost Security appeared first on SecurityWeek.
S3 Ep136: Navigating a manic malware maelstrom
Latest episode – listen now. Full transcript inside…