npm tackles its riskiest security issues

With npm v12, GitHub closes a central attack vector: installation scripts from dependencies will only run after explicit ...
InfoWorld

Meet Hades: The malware that lies to AI security agents

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based ...
Tech Times

SVG Phishing Emails Bypass Email Security: SANS Flags New MIME-Type Evasion

SVG phishing email attacks are bypassing enterprise email security gateways by hiding JavaScript inside image files and ...
GitHub

‍♂️ Loki Command & Control

Loki is a stage-1 command and control (C2) framework written in Node.js, built to script-jack vulnerable Electron apps MITRE ATT&CK T1218.015. Developed for red team operations, Loki enables evasion ...
Tech Times

Claude Code Dynamic Workflows: Scripts Replace Context Windows, Ultracode Automates Orchestration

Claude Code Dynamic Workflows, launched May 28, 2026, replaces context-window orchestration with a JavaScript script Claude writes on the fly for each task. Runs cap at 1,000 parallel subagents with ...
Infosecurity Magazine

PureLogs Variant Steals Data via Purchase Order Lures

The PureLogs module targeted a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Yandex Browser, Mozilla Firefox, Waterfox and LibreWolf. It also scanned Discord ...

Netflix Nabs Spec Script for Nuclear Weapons Thriller ‘Run the Football’ From ‘The Batman’ Producer (Exclusive)

A new action thriller feature is ready to hit the ground running at Netflix. The streamer has scooped up the spec script for Run the Football from writing team Josh Marentette and ...
Hosted on MSN

New Roblox script guides spark safety and ban concerns

Recent guides for using scripts in popular Roblox games are drawing attention to the risks of account bans, malware infections, and exploitation. While these scripts can automate gameplay and unlock ...
The Hacker News

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of ...
Business Wire

ThreatDown Uncovers First Cyber Attack Abusing Deno JavaScript Runtime for Fileless Malware Delivery

ThreatDown’s EDR team discovered a sophisticated, multi-stage attack chain during an active investigation; the first documented case of attackers abusing the Deno runtime as a malware execution ...
Bleeping Computer

Wikipedia hit by self-propagating JavaScript worm that vandalized pages

Update: Added Wikimedia Foundation's statement below and made a correction to denote it was only the Meta-Wiki that was vandalized. The Wikimedia Foundation suffered a security incident today after a ...
webtv.un.org

Letter from the President of the General Assembly on the PGA81 Candidate Submission of Vision Statement and Biography

Setting up fake worker failed: "Cannot load script at: https://www.un.org/pga/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.worker.min.js?ver=2.2.228". Setting ...