Tech News
All News AI & ML Architecture DevOps Open Source Programming Team Management Testing & QA Web

Latest News

⚑ Report a Problem

Tech news from the best sources

All topics - игры AI Gear News Tech agents ai api architecture automation beginners career claude devchallenge devops javascript llm machinelearning mcp opensource performance productivity programming python react security showdev tutorial typescript webdev
All EN RU
EN

Dependabot learns to wait: version-update PRs now sit for three days by default

Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else …

dependabotgithubsupplychainpackageupdates
Dev.to Jul 15, 2026, 00:24 UTC
EN

Innersource security advisories go GA: a private channel for private vulns

Your platform team ships an internal package. Half the org pulls it. Someone finds a bug that in the wrong hands is a full RCE. What do you do next: f…

githubghasdependabotsupplychain
Dev.to Jul 11, 2026, 16:24 UTC
EN

uv audit vs pip-audit, and a gate narrower than it looks

Until now, the tools that install packages have never once stopped to ask, "Are you sure it's okay to take this one?" Whether it's pip install or npm …

pythonsecuritydevopssupplychain
Dev.to Jul 10, 2026, 14:38 UTC
EN

MCP supply chain attacks are coming — here's how to prepare

The npm incident, but for AI agents Remember when malicious npm packages stole crypto wallets? The same thing is coming for MCP servers. An MCP server…

mcpsecuritysupplychainnpm
Dev.to Jul 7, 2026, 23:56 UTC
EN

From vexctl scripts to a governed VEX platform: building vex-ui with Next.js, keyless signing, and a Trivy-consumable repo

un Trivy against almost any vendor container image and you'll get a wall of findings. Most of them don't matter, the vulnerable code path is never exe…

securitynextjsdevopssupplychain
Dev.to Jul 7, 2026, 21:17 UTC
EN

Aikido buys Root to patch open source in place, without the upgrade dance

Every open-source CVE backlog has that one line item you keep sliding into next quarter. The library is a couple of majors behind, the upgrade breaks …

supplychaincvedependenciessecurity
Dev.to Jul 1, 2026, 00:24 UTC
EN

CI is the wrong place to first hear about your npm dependencies

Your CI catches the npm vulnerability. Your developer is already three branches away and one standup behind. The package is installed, the lockfile re…

supplychainshiftleftnodenpm
Dev.to Jun 29, 2026, 00:24 UTC
EN

A Rogue Registry in My Own Backyard: Anatomy of a Two-Line Supply Chain Attack

The previous parts of this series were written from a comfortable distance. I read the Trend Micro diagrams about Shai-Hulud, I theorised about Docker…

npmsecuritysupplychain
Dev.to Jun 27, 2026, 22:30 UTC
EN

Cilium publishes its CI hardening playbook, gaps and all

Every open source project's CI pipeline is a quiet confession of how much trust it extends to its own contributors. (Most maintainers would rather you…

cicdsecuritysupplychaincredentialssigstore
Dev.to Jun 26, 2026, 16:24 UTC
EN

Homebrew 6.0.0 turns third-party taps into an opt-in trust list

Your CI runner is a stranger with a credit card and root. Every brew install against a third-party tap is the same trust gesture as curl | sh , just w…

homebrewsupplychainpackagemanagerscicd
Dev.to Jun 23, 2026, 00:24 UTC
EN

One npm Account Publishes 964 Million Downloads Per Week. None Have Provenance.

The npm account ai publishes seven packages. Combined, they install 964 million times per week: Package Weekly downloads Publishers Risk postcss 245,6…

npmsecuritysupplychainjavascript
Dev.to Jun 18, 2026, 14:35 UTC
EN

IronWorm Commits as 'claude.' It Steals Your Anthropic and OpenAI Keys.

On June 3, JFrog Security Research published their analysis of IronWorm — a supply chain attack that compromised 37 npm packages through the asteroidd…

securitysupplychainainpm
Dev.to Jun 15, 2026, 14:36 UTC
EN

How to Build a Secure Homelab for LLM Inference

We’ve treated local AI deployments as experimental toys for too long. The moment a homelab becomes a dependency for work, the security posture must sh…

homelabllmsecurityinferencesupplychain
Dev.to Jun 12, 2026, 10:14 UTC
EN

ShadowFeed Weekly #1: IronWorm npm Attack, $36M Humanity Protocol Hack, Microsoft Repos Compromised

ShadowFeed Weekly #1 | Web3 Security Intelligence June 5 — June 11, 2026 ShadowFeed is a real-time Web3 security intelligence service for developers a…

web3securitysupplychainblockchain
Dev.to Jun 11, 2026, 02:40 UTC
EN

Rust Crate 'onering' Compromised: Malicious Code Exfiltration Risk Mitigated with Updated Version

Introduction and Background The Rust ecosystem, celebrated for its memory safety and performance, relies heavily on crates —its package management sys…

rustsecuritysupplychainmalware
Dev.to Jun 10, 2026, 21:35 UTC
EN

End-to-End GitHub Security Hardening Guide for Organizations

GitHub is not just a source code platform anymore. For most engineering organizations, GitHub is part identity system, part software supply chain, par…

githubsecuritydevsecopssupplychain
Dev.to Jun 10, 2026, 03:33 UTC
EN

The Maintainer Trap: What the jqwik Incident Reveals About Trusting Your Dependencies

This article was originally published on LucidShark Blog . On May 29, 2026, a developer pushed a new release of jqwik, a popular Java property-based t…

securitysupplychainagenticdevops
Dev.to Jun 7, 2026, 15:21 UTC
EN

The Bot That Never Was

By Ionut-Cristian Florescu ( @icflorescu ), written June 6, 2026, while still locked out. How the Miasma worm, a Shai-Hulud strain that this week also…

securityopensourcegithubsupplychain
Dev.to Jun 6, 2026, 14:35 UTC
EN

Supply Chain Sense: Merging Gemini AI and Math for Smart Retail Inventory

In neighbourhood retail markets, local Kirana stores, and hyper-local fulfilment centres, inventory management isn’t an administrative task—it’s a hig…

pythonaisupplychaindataengineering
Dev.to Jun 3, 2026, 19:11 UTC
EN

I scanned 200 popular MCP server packages. Here is what I found.

The MCP ecosystem has been growing fast, but the supply-chain hygiene has not kept up. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600+ instances. The …

mcpsecuritysupplychainopensource
Dev.to May 30, 2026, 07:23 UTC
EN

Mini Shai-Hulud: A persistent supply-chain worm

On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…

securitysupplychainnpmsecurityresearch
Dev.to May 26, 2026, 12:32 UTC
EN

How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack

Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…

securitysupplychainnpmdevops
Dev.to May 23, 2026, 19:32 UTC
EN

npm Supply Chain Audit: The Checklist Most Teams Stop Too Early

Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…

npmsecurityjavascriptsupplychain
Dev.to May 22, 2026, 09:39 UTC
EN

PCB Shortage Warning: Iran-Saudi Conflict Drives 40% Price Increase — What Hardware Engineers Need to Know

Gulf Conflict Triggers New PCB Supply Chain Crisis A convergence of geopolitical disruption and commodity price surges is creating the PCB industry's …

hardwareelectronicssupplychainmanufacturing
Dev.to May 21, 2026, 06:21 UTC
EN

Causa GitHub, or: Your Editor Extensions Run as You

Wire Fire — Episode 02 On 18 May 2026 an attacker published a poisoned version of a popular Visual Studio Code extension. It was live for roughly elev…

securitysupplychainvscodedevsecops
Dev.to May 21, 2026, 06:13 UTC
EN

node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.

Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…

npmsecuritysupplychainjavascript
Dev.to May 20, 2026, 08:38 UTC
EN

GitHub Wasn't Hacked, But Your CI/CD Pipeline Might Be: Lessons from Grafana, CISA, and Shai-Hulud 2.0

GitHub wasn't hacked on May 19, 2026. GitHub.com is fully operational, all metrics green. But within the same news cycle, three incidents converged — …

cybersecuritygithubdevopssupplychain
Dev.to May 19, 2026, 21:33 UTC
EN

The MCP package looked clean. The installed tree did not.

We audited 31 MCP server packages across npm and PyPI. For each one, we ran two checks: a direct check of the top-level package a scan of the installe…

securityaimcpsupplychain
Dev.to May 15, 2026, 21:18 UTC
EN

The Hidden Supply Chain Risk in Your `pip install`

This Is Not an Anomaly The LiteLLM incident is part of an accelerating pattern: 454,000+ new malicious packages in open-source registries in 2025 Mali…

pythonaisupplychainsecurity
Dev.to May 13, 2026, 23:22 UTC
EN

How to Choose a PCB Manufacturer – A Practical Guide for Hardware Engineers

10 questions to ask before placing your next order Introduction You‘ve spent weeks designing your PCB. The schematic is clean, the layout is optimized…

pcbmanufacturinghardwareengineeringsupplychainsmallbatch
Dev.to May 6, 2026, 09:36 UTC

© Tech News — Headline Aggregator

Sitemap Legal Notice Privacy Terms Copyright / Removal DSA Contact

Leaving the site

You are about to open an external website:

Continue →