Ars Technica

PyPI halted new users and projects while it fended off supply-chain attack

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any ...
Bleeping Computer

Malicious NuGet packages drop disruptive 'time bombs'

Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. The embedded malicious ...
Microsoft

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

Cookie-gated PHP webshells use obfuscation, php-fpm execution, and cron-based persistence to evade detection in Linux hosting ...
Microsoft

Mitigating the Axios npm supply chain compromise

On March 31, 2026, the popular HTTP client Axios experienced a supply chain attack, causing two newly published npm packages ...
Dark Reading

Millions at Risk As 'Parrot' Web Server Compromises Take Flight

Threat actors behind a traffic redirect system (TDS) that's been active since October 2021 have ramped up efforts to elude detection and can potentially reach millions of people with malicious scripts ...
Tom's Hardware on MSN

One of JavaScript's most popular libraries compromised by hackers

An attacker compromised the npm account of a lead Axios maintainer on March 30, and used it to publish two malicious versions ...