I scanned 200 popular MCP server packages. Here is what I found.
The MCP ecosystem has been growing fast, but the supply-chain hygiene has not kept up. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600+ instances. The …
Latest News
⚑ Report a ProblemTech news from the best sources
All topics
AI
Gear
News
Tech
agents
ai
api
architecture
automation
beginners
career
database
devchallenge
devops
gemma
javascript
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
react
security
showdev
tutorial
typescript
webdev
Mini Shai-Hulud: A persistent supply-chain worm
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…
PCB Shortage Warning: Iran-Saudi Conflict Drives 40% Price Increase — What Hardware Engineers Need to Know
Gulf Conflict Triggers New PCB Supply Chain Crisis A convergence of geopolitical disruption and commodity price surges is creating the PCB industry's …
Causa GitHub, or: Your Editor Extensions Run as You
Wire Fire — Episode 02 On 18 May 2026 an attacker published a poisoned version of a popular Visual Studio Code extension. It was live for roughly elev…
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…
GitHub Wasn't Hacked, But Your CI/CD Pipeline Might Be: Lessons from Grafana, CISA, and Shai-Hulud 2.0
GitHub wasn't hacked on May 19, 2026. GitHub.com is fully operational, all metrics green. But within the same news cycle, three incidents converged — …
The MCP package looked clean. The installed tree did not.
We audited 31 MCP server packages across npm and PyPI. For each one, we ran two checks: a direct check of the top-level package a scan of the installe…
The Hidden Supply Chain Risk in Your `pip install`
This Is Not an Anomaly The LiteLLM incident is part of an accelerating pattern: 454,000+ new malicious packages in open-source registries in 2025 Mali…
How to Choose a PCB Manufacturer – A Practical Guide for Hardware Engineers
10 questions to ask before placing your next order Introduction You‘ve spent weeks designing your PCB. The schematic is clean, the layout is optimized…
MCPwn Is Live. We Scanned the Supply Chains of 14 MCP Servers. Here's What We Found.
MCPwn Is Live. We Scanned the Supply Chains of 14 MCP Servers. Here's What We Found. April 18, 2026 MCPwn dropped this week. CVE-2026-33032 — CVSS 9.8…
161 verified AI package hallucinations across 8.5M indexed — open dataset
161 verified AI package hallucinations across 8.5M indexed — open dataset TL;DR : DepScope is a free MCP server + REST API that AI coding agents call …