OUR BLOG

Over the years, I've talked with a lot of developers and engineering teams—first during my DevSecOps consulting work, then while building SecureStack. Now, as I focus full-time on software supply...

I've identified a malicious NPM package named "web3-parser" that targets web3 and crypto developers.  When the library is called from within a Javascript app, it exfils all data that you asked it to...

Our research has identified a package masquerading as the popular NPM package "Prettier" library.  This package was published in the NPM registry in September 2024 and was taken offline in mid...

SourceCodeRED identified a malicious package deployed on NPM this week.   This package was deployed by an NPM user named Zyrudev and named "arcus-cmd-utils".   The package only contained two files: ...

Two NPM packages masquerading as legitimate javascript libraries were published to the NPM registry this week.  The packages were published by a user named "kamations" and target the marked-js...

Published January 8, 2025 Every morning I get up and check what malicious packages my detector had found the night before.   It's like someone checking their fishing nets to see what fish they...

SourceCodeRED identified two malicious packages deployed on NPM today (December 27th, 2024) These packages were deployed by an NPM user named shulkwisec.  The two packages are "baby-electron" and...

A new malware payload is being delivered via NPM packages.  The NPM user named hi_ops published seven packages that are deploying a new MacOS malware.     How is the malware delivered? The...

The Ultralytics PyPi package was compromised today via a sneaky attack leveraging GitHub pull requests. Two consecutive package versions of the Ultralytics PyPi package were compromised and...

I've spent the last year researching the trust and safety mechanisms in SCM platforms like GitHub, GitLab, and Gitea. These platforms are important in the ecosystem, as GitHub and GitLab together...