Dozens of Popular Open‑Source Packages Compromised in Supply‑Chain Attack

Colleagues, please note: the cybersecurity community has detected compromise of popular open‑source packages.
Briefly:
— StepSecurity and SafeDep detected a new wave of supply‑chain attacks.
— SafeDep: a developer account was hijacked — over 630 malicious releases across 317 packages published in ~20 minutes.
— Objective: credential theft, including from password managers; affected projects include Antv (Alibaba). JFrog points to GitHub publications.
— This is part of the “Mini Shai‑Hulud” campaign: earlier attacks targeted TanStack and impacted OpenAI staff.
Why it matters: these attacks erode trust in dependencies and require strengthening supply‑chain defenses.
Which supply‑chain protections do you consider priorities?
#cybersecurity #supplychain #opensource #infosec


Latest comments
No comments yet.