News

The Hacker News12d
Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto
VS Code extensions deployed sandbox-evasive malware to steal system data, developer credentials, and crypto wallets.
Orca Security Report Reveals Majority of Organizations Introducing Vulnerable AI Packages into Cloud Environments
Orca Security, a pioneer of agentless cloud security, today released the 2025 State of Cloud Security Report, providing ...
CSOonline2mon
Malicious npm packages found to create a backdoor in legitimate code
“The ethers-provider2 package contains the ssh2 source code, adding some malicious elements to it,” the researcher said. “So, the whole package functions exactly how the ssh2 package would ...
JD Supra3d
Threat actors increasingly introducing malicious code into open source packages
The risks associated with leveraging open source libraries, and the review needed, are increasing. In the first half of 2025, ...
InfoWorld9mon
Packages and static imports in Java
When working on a multi-developer project, avoid using the * wildcard so that other developers can easily see which types are used in your source code. Because Java is case sensitive, package and ...
CSOonline1y
Deprecated npm packages that appear active present open-source risk
A significant percentage of the 50,000 most-downloaded npm packages are deprecated ... When it comes to open source, making that choice is perfectly fine because the code doesn’t come with ...
New York Post5mon
Received a package from an unknown sender? Experts warn of new ‘brushing’ scam — here’s how to protect yourself this Christmas
With a scam known as “brushing,” cybercriminals will ship packages with no return address that contain a QR code, prompting the confused recipient to scan the code to reveal who sent the package.
Bleeping Computer23d
Malicious NPM package uses Unicode steganography to evade detection
A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar ... attribute from the event's HTML page, which holds a base64 ...
Ars Technica1mon
AI-generated code could be a disaster for the software supply chain. Here’s why.
which aim to poison software at its very source in an attempt to infect all users downstream. “Once the attacker publishes a package under the hallucinated name, containing some malicious code ...
Bleeping Computer4mon
Laravel admin package Voyager vulnerable to one-click RCE flaw
Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used for remote code execution attacks. The issues remain unfixed and can be ...
Yahoo20d
Receive a random package you didn’t order? You may be a victim of a ‘brushing’ scheme — here’s how it works
Receive a random package you didn’t order? You may be a victim of a ‘brushing’ scheme. Here’s how it works — and the 1 thing postal inspectors warn you to avoid doing ...
The Cincinnati Enquirer8mon
'Brushing' package scam comes to Ohio. Here's what to know, how to protect yourself
There is no return address; instead, the unexpected package has a QR code that when scanned, pretends to show you who sent it. Once you scan the package's QR code, it exposes your phone's personal ...