Dependabot learns to wait: version-update PRs now sit for three days by default
Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else …
Tech news from the best sources
Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else …
Your platform team ships an internal package. Half the org pulls it. Someone finds a bug that in the wrong hands is a full RCE. What do you do next: f…
Until now, the tools that install packages have never once stopped to ask, "Are you sure it's okay to take this one?" Whether it's pip install or npm …
The npm incident, but for AI agents Remember when malicious npm packages stole crypto wallets? The same thing is coming for MCP servers. An MCP server…
un Trivy against almost any vendor container image and you'll get a wall of findings. Most of them don't matter, the vulnerable code path is never exe…
Every open-source CVE backlog has that one line item you keep sliding into next quarter. The library is a couple of majors behind, the upgrade breaks …
Your CI catches the npm vulnerability. Your developer is already three branches away and one standup behind. The package is installed, the lockfile re…
The previous parts of this series were written from a comfortable distance. I read the Trend Micro diagrams about Shai-Hulud, I theorised about Docker…
Every open source project's CI pipeline is a quiet confession of how much trust it extends to its own contributors. (Most maintainers would rather you…
Your CI runner is a stranger with a credit card and root. Every brew install against a third-party tap is the same trust gesture as curl | sh , just w…
The npm account ai publishes seven packages. Combined, they install 964 million times per week: Package Weekly downloads Publishers Risk postcss 245,6…
On June 3, JFrog Security Research published their analysis of IronWorm — a supply chain attack that compromised 37 npm packages through the asteroidd…
We’ve treated local AI deployments as experimental toys for too long. The moment a homelab becomes a dependency for work, the security posture must sh…
ShadowFeed Weekly #1 | Web3 Security Intelligence June 5 — June 11, 2026 ShadowFeed is a real-time Web3 security intelligence service for developers a…
Introduction and Background The Rust ecosystem, celebrated for its memory safety and performance, relies heavily on crates —its package management sys…
GitHub is not just a source code platform anymore. For most engineering organizations, GitHub is part identity system, part software supply chain, par…
This article was originally published on LucidShark Blog . On May 29, 2026, a developer pushed a new release of jqwik, a popular Java property-based t…
By Ionut-Cristian Florescu ( @icflorescu ), written June 6, 2026, while still locked out. How the Miasma worm, a Shai-Hulud strain that this week also…
In neighbourhood retail markets, local Kirana stores, and hyper-local fulfilment centres, inventory management isn’t an administrative task—it’s a hig…
The MCP ecosystem has been growing fast, but the supply-chain hygiene has not kept up. MCPwn (CVE-2026-33032, CVSS 9.8) exposed 2,600+ instances. The …
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…
Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…
Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…
Gulf Conflict Triggers New PCB Supply Chain Crisis A convergence of geopolitical disruption and commodity price surges is creating the PCB industry's …
Wire Fire — Episode 02 On 18 May 2026 an attacker published a poisoned version of a popular Visual Studio Code extension. It was live for roughly elev…
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…
GitHub wasn't hacked on May 19, 2026. GitHub.com is fully operational, all metrics green. But within the same news cycle, three incidents converged — …
We audited 31 MCP server packages across npm and PyPI. For each one, we ran two checks: a direct check of the top-level package a scan of the installe…
This Is Not an Anomaly The LiteLLM incident is part of an accelerating pattern: 454,000+ new malicious packages in open-source registries in 2025 Mali…
10 questions to ask before placing your next order Introduction You‘ve spent weeks designing your PCB. The schematic is clean, the layout is optimized…