Malicious Sicoob.Sdk stole PFX certificates and client IDs via NuGet downloads, enabling API impersonation and payment abuse risks.

Project Lightwell is an AI‑powered initiative to find and fix vulnerabilities in open-source software at an industrial scale. Here's what we know so far.

SymJack’ attack shows how AI coding agents can be manipulated through malicious repositories and MCP servers to steal data and enable software supply chain attacks.

Following every major outage there is discussion of GitHub alternatives, with some organizations moving to self-hosted code repositories and/or CI/CD. GitHub is sticky though, par ...

CrowdStrike, Google and the Shadowserver Foundation worked together to take down a botnet that poisoned over 300 GitHub ...

Application security is a continuous discipline that protects software, APIs, code, dependencies, data flows, identities, and ...

Malicious packages across npm, PyPI, and Crates.io show how poisoned developer workflows can become a route into enterprise systems.

Sometime in early 2025, a security researcher flagged a configuration file that could do something it was never supposed to: silently siphon API keys, cloud credentials, and signing certificates out ...

Hackers rewrote all Git tags across four Laravel-Lang packages, poisoning over 700 historical versions with backdoors.

Stolen credentials produced valid Sigstore certificates, clearing 633 malicious npm packages — one of seven developer tool ...

Google spent nearly a year accepting code contributions from hundreds of independent developers on an open-source AI terminal ...

City officials are weighing the construction of a new fire station near University Boulevard and A.W. Grimes Boulevard, as well as the purchase of an additional fire engine to serve Round Rock ...