GitHub has just announced the availability of custom images for its hosted runners. They've finally left the public preview ...

The Trivy story is moving quickly, and the latest reporting makes one thing clear: this is no longer just a GitHub Actions tag hijack. What started as a compromise of trivy-action, setup-trivy, and ...

攻击者已入侵广受欢迎的开源漏洞扫描工具Trivy，在官方版本及数千个CI/CD工作流使用的GitHub Actions中植入了凭证窃取恶意软件。若受影响项目和组织未立即轮换密钥，此次入侵可能引发连锁式供应链攻击。 Trivy维护团队今日披露，此次攻击源于上月末公布的早期入侵事件，同样利用了不安全的GitHub Actions并波及多个项目。安全公司Socket和Wiz溯源发现，首次入侵后凭证轮换不 ...

Language package managers like pip, npm, and others pose a high risk during active supply chain attacks. However, OS updates ...

A critical supply chain attack has compromised the popular JavaScript library axios, leading to developers unknowingly ...

A North Korea-nexus threat actor compromised the widely used axios npm package, delivering a cross-platform remote access ...

Axios 1.14.1 and 0.30.4 injected malicious [email protected] after npm compromise on March 31, 2026, deploying ...

FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from ...

Cloudflare Inc. today announced an expansion of its Agent Cloud with new features that are designed to help developers build, deploy and scale agents. The new release includes a suite of ...

Two versions of the widely used JavaScript library axios were maliciously published on npm on March 31, 2026. A hijacked ...