malicious-packages

2 articles
sort: new top best
clear filter
bug-bounty515 xss283 rce169 google156 facebook131 microsoft124 exploit120 account-takeover118 bragging-post117 malware116 cve96 privilege-escalation92 csrf87 open-source86 authentication-bypass83 stored-xss75 phishing70 access-control69 ai-agents66 web-security64 reflected-xss63 apple60 input-validation53 sql-injection51 writeup51 reverse-engineering50 cross-site-scripting49 ssrf49 defi48 smart-contract48 api-security47 ethereum45 dos44 information-disclosure44 tool43 privacy43 supply-chain41 browser40 web-application39 cloudflare39 web338 burp-suite37 vulnerability-disclosure37 lfi37 opinion36 race-condition36 automation36 ai-security36 llm35 idor34
0 6/10
Supply-chain attack using invisible code hits GitHub and other repositories
threat-intel

Researchers discovered 151 malicious packages using invisible Unicode characters to hide executable code in repositories including GitHub and npm. The technique leverages Public Use Area characters that appear as whitespace to humans but execute as code at runtime, making traditional code reviews ineffective and suspected to be AI-generated at scale.

supply-chain-attack malicious-packages invisible-code unicode-obfuscation github npm code-injection ai-generated-malware public-use-area javascript eval-injection typosquatting solana credential-theft token-stealing
Aikido Security Glassworm Koi GitHub npm Open VSX VS Code Solana Dan Goodin
arstechnica.com · joozio · 6 hours ago · details · hn
0 7/10
Defense in Depth: A Practical Guide to Python Supply Chain Security
tutorial

Practical multi-layered defense strategy for Python supply chain security covering code linting, dependency pinning with cryptographic hashes, CVE scanning, SBOM generation, and Trusted Publishing with OIDC attestations. Includes real-world attack case studies (ctx, Ultralytics, GhostAction, Shai-Hulud) demonstrating why each defense layer is necessary.

supply-chain-security python dependency-management package-security pypi vulnerability-scanning secret-management sbom trusted-publishing oidc sigstore pip-audit ruff hash-pinning typosquatting malicious-packages github-actions-security cryptographic-verification
Bernát Gábor PyPI Ruff uv pip-audit CycloneDX Sigstore OIDC Ultralytics YOLO virtualenv tox platformdirs filelock CNCF ctx PHPass Flask Jinja2 Werkzeug MarkupSafe zizmor GhostAction Shai-Hulud
bernat.tech · gaborbernat · 1 day ago · details · hn