Blog

Follow for the latest updates and insights on
open source security & engineering.

Malware Security Announcements AI Engineering Technology Open Source SCA Compliance & SBOM CI/CD

Malware

Malicious litellm 1.82.8: Credential Theft and Persistent Backdoor

Analysis of compromised litellm 1.82.8 on PyPI: a .pth file triggers credential theft, AWS/K8s secret exfiltration, and persistent C2 backdoor on install.

Security

Trivy Supply Chain Compromise: What Happened, What Was Stolen, and How to Respond

A consolidated technical reference for the TeamPCP supply chain attack against Aqua Security's Trivy scanner. Covers the full attack chain from AI-assisted initial breach through credential theft,...

sl4x0 Dependency Confusion: 92 Packages Target Fortune 500

A sustained dependency confusion campaign by the sl4x0 actor likely targets 20+ organizations including Adobe, Ford, Sony, and Coca-Cola with 92+ malicious npm packages exfiltrating developer data...

Malware

Malicious npm Package react-refresh-update Drops Cross-Platform Trojan on Developer Machines

A malicious npm package impersonating react-refresh, Meta's library with 42 million weekly downloads, was detected by SafeDep. The package injects a two-layer obfuscated dropper into runtime.js that...

Previous Next

Ship Code.

Not Malware.

Start free with open source tools on your machine. Scale to a unified platform for your organization.

Star on GitHub Book a Demo