New npm supply-chain attack self-spreads to steal auth tokens

A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts.
InfoWorld

Visual Studio Code 1.115 introduces VS Code Agents app

Preview of new companion app allows developers to run multiple agent sessions in parallel across multiple repos and iterate on human and agent reviews. Visual Studio Code 1.115, the latest release of ...
InfoWorld

Visual Studio Code 1.115 introduces VS Code Agents app

Preview of new companion app allows developers to run multiple agent sessions in parallel across multiple repos and iterate on human and agent reviews. Visual Studio Code 1.115, the latest release of ...
TechCrunch

Anthropic took down thousands of GitHub repos trying to yank its leaked source code — a move the company says was an accident

Anthropic accidentally caused thousands of code repositories on GitHub to be taken down while trying to pull copies of its most popular product’s source code off the internet. On Tuesday, a software ...
The Verge

Claude Code leak exposes a Tamagotchi-style ‘pet’ and an always-on agent

The more than 512,000 lines of leaked code appear to show unreleased features, instructions for Claude, and more. The more than 512,000 lines of leaked code appear to show unreleased features, ...
Bleeping Computer

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. Evidence ...
The Hacker News

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python ...
SecurityWeek

ForceMemo: Python Repositories Compromised in GlassWorm Aftermath

Hundreds of GitHub accounts were accessed using credentials stolen in the VS Code GlassWorm campaign. Threat actors have been abusing credentials stolen in the VS Code GlassWorm campaign to hack ...
Ars Technica

Supply-chain attack using invisible code hits GitHub and other repositories

Researchers say they’ve discovered a supply-chain attack flooding repositories with malicious packages that contain invisible code, a technique that’s flummoxing traditional defenses designed to ...
Bloomberg L.P.

Bank of Canada Moves to Central Clearing to Curb Repo Risk

The Bank of Canada will begin centrally clearing its repo operations, Governor Tiff Macklem said, as he flagged growing risks from hedge funds’ leveraged bets in government bonds and the rapid ...
The Hacker News

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

A "coordinated developer-targeting campaign" is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish ...
CSOonline

Microsoft warns of job‑themed repo lures targeting developers with multi‑stage backdoors

Attackers used “technical assessment” projects with repeatable naming conventions to blend in cloning and build workflows, retrieving loader scripts from remote infrastructure, and minimizing on-disk ...