-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Developer Security | Breaking Cybersecurity News | The Hacker News

Category — Developer Security
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Jul 10, 2026 Software Supply Chain / Malware
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21 , came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was released on July 8, 2026, but has since been deprecated on the registry. That said, the release artifacts belonging to the compromised version are still available for download from GitHub as of writing. "The malicious functionality was introduced to the project's official GitHub repository through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository," Socket said . The software supply chain security firm said the threat actor behind the attack also published version 1.20.21 across 17 additional @inj...
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs

Jul 09, 2026 Developer Security / Supply Chain Security
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," Julie Agnes Sparks, senior security engineer at Datadog, said . While the activity in most cases involves targeting public data, select instances have gone beyond public information enumeration to successfully clone private repositories. The campaign employs a mix of automated scanner tools, over 50 dormant accounts, and dozens of legitimate accounts that have had their personal access tokens (PATs) exposed unintentionally or compromised through some other method to facilitate the enumeration. What's notable about the ...
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Jul 09, 2026 AI Security / Vulnerability
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a  proof-of-concept published Wednesday by the AI Now Institute, an attack it calls " Friendly Fire. " It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own commands. It hijacks the exact job these tools are sold for: checking untrusted third-party code for problems. Instead of catching the threat, the agent becomes the way in. Researchers Boyan Milanov and Heidy Khlaaf tested two setups, each a stock install with the autonomous mode switched on: Claude Code (CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199) on Claude Sonnet 4.6, Sonnet 5, or Opus 4.8 OpenAI Codex (CLI 0.142.4) on GPT-5.5 Claude Code's "auto-mode" and Codex's "auto-review" use a classifier to run commands the agent judges safe, pausing ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

Jul 09, 2026 AI Security / Vulnerability
Researchers at  Wiz  found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz calls the pattern GhostApproval and published it on July 8. Three of the six have shipped fixes, two have not, and Anthropic disputes that it is a bug. The most exposed are the tools that change files before you can weigh in. How the attack works The attack abuses an old Unix feature called a symbolic link , or symlink , that the assistants fail to check. A symlink quietly points to another file elsewhere on disk, so writing to it actually writes to the target. Wiz built a malicious repository with a symlink named project_settings.json that really points to the victim's ...
AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

Jul 08, 2026 AI Security / Threat Detection
Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing what sits in Windows' credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders. What has changed is who is generating it. On the machines Sophos watched, it was often a developer's AI assistant going about ordinary work. What set the alarms off The  analysis  draws on seven days of telemetry from June 2026, taken from Sophos's behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor's fleet, not an industry census. Sophos's charts put credential access at 56.2 perc...
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

Jul 08, 2026 AI Security / Botnet
AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist. New research, which its authors call  HalluSquatting , turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's behalf. Anyone whose AI assistant can fetch an outside resource and then run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine. Repeat it with a popular enough resource, and one planted name can reach many machines, which is why the researchers frame it as a way to assemble a botnet. How it works The attack chains two AI quirks. The first is a  hallucination : an AI making something up and presenting it as real. The second is a  prompt injection : a booby-trapped instruction that hijacks the AI, so i...
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

Jul 08, 2026 Artificial Intelligence / Software Security
An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a  new study of GitHub Copilot  by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused almost every harmful request when asked directly. Reframed as steps in a normal coding task, they produced the harmful answers in all 816 of the study's workflow runs. What makes this different from a typical jailbreak: no one asks for the harmful thing directly, and the model is not tricked into running someone else's code. It writes the banned content itself, as a side effect of a coding task it was told to improve. How it works The researchers call the method workflow-level jailbreak construction . Instead of a single blunt prompt, they asked Copilot to build an everyday piece of s...
SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

Jul 06, 2026 AI Security / Threat Detection
Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a  new study  from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss. Skills are small packages, usually a Markdown instruction file plus a few scripts, that agents such as Claude Code, OpenAI Codex, and OpenClaw load to pick up a new capability. Because a skill is just a bundle of files, the same one can run across different agents. And it runs with the agent's own access: your files, your terminal, your saved passwords. A bad one can steal credentials, copy source code, or install a backdoor. Most of what a public marketplace lists is uploaded by strangers with little vetting. The main defense so far has been th...
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Jun 26, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said . The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. The list of affected packages is below - hexo-deployer-wrangler@1.0.4 hexo-shoka-swiper@0.1.10 leo-auth@4.0.6 leo-aws@2.0.4 leo-cache@1.0.2 leo-cdk-lib@0.0.2 leo-cli@3.0.3 leo-config@1.1.1 leo-connector-elasticsearch@2.0.6 leo-connector-mongo@3.0.8 leo-connector-mysql@3.0.3 ...
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Jun 23, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named " abdrizak " and continue to be available for download from npm as of writing.  "Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as layered AES/custom-codec packages and depend on the legitimate postcss-selector-parser," JFrog said in an analysis. "Postcss-minify-selector presents itself as a PostCSS selector minifier and depends on postcss-minify-selector-parser." As for "postcss-minify-selector-parser," the name is a reference to " postcss-selector-parser ," a widely used npm library with more than 1...
Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Jun 17, 2026 Supply Chain Security / AI Security
Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. "Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests," Aikido Security researcher Ilyas Makari said . "They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker." The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it's not clear if the counts are authentic or if they have been inflated to fake their popularity. The complete list of plugins is below -...
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Jun 12, 2026 Artificial Intelligence / Vulnerability
Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform. "The attack exploits a critical architectural flaw at the intersection of Sentry's event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output)," security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said . The idea is to inject crafted input into Sentry error events, which are then interpreted by coding agents like Claude Code and Cursor as legitimate diagnostic resolution steps and run attacker-controlled code. A successful attack of this kind can expose sensitive data, includ...
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

Jun 11, 2026 Developer Security / Software Supply Chain
GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the "npm install" command to trigger the execution of malicious code using npm lifecycle hooks. "Npm install" is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month. Describing install-time lifecycle scripts as the "single largest code-execution surface in the npm ecosystem," GitHub said the "npm install" command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner. By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically durin...
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

May 19, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. "Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository," StepSecurity researcher Ashish Kurmi said . The payload is a "multi-stage credential stealer and supply chain poisoning tool" that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further comm...
Developer Workstations Are Now Part of the Software Supply Chain

Developer Workstations Are Now Part of the Software Supply Chain

May 18, 2026 Artificial Intelligence / Developer Security
Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is an ongoing concern and is self-propagating, as seen in attacks like the "mini Shai Hulud" campaigns.  That pattern should change how security teams think about the software supply chain. Traditionally, security focused on shared systems like source code repositories, CI/CD platforms, artifact registries, package managers, and cloud environments. The goal was to protect production workloads and data. We absolutely still need to focus on these areas, but it is an incomplete picture.  Modern software delivery begins before code reaches Git. It begins on the developer workstation, wher...
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

May 14, 2026 Developer Security / Supply Chain Attack
Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. According to Socket and StepSecurity , three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 "Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior," Socket said. "The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic." StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server. This includes 90 categories ...
GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

Mar 16, 2026 Malware / Cryptocurrency
The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py," StepSecurity said . "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware." According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The a...
GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

Mar 14, 2026 Malware / Threat Intelligence
Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a "significant escalation" in how it propagates through the Open VSX registry. "Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established," Socket said in a report published Friday. The software supply chain security company said it discovered at least 72 additional malicious Open VSX extensions since January 31, 2026, targeting developers. These extensions mimic widely used developer utilities, including linters and formatters, code runners, and tools for artificial intelligence (AI)-powered coding assistants like Clade Code and Google...
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets

Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets

Mar 11, 2026 Artificial Intelligence / Developer Security
Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors. The Rust packages, published to crates.io, are listed below - chrono_anchor dnp3times time_calibrator time_calibrators time-sync The crates, per Socket, impersonate timeapi.io and were published between late February and early March 2026. It's assessed to be the work of a single threat actor based on the use of the same exfiltration methodology and the lookalike domain ("timeapis[.]io") to stash the stolen data. "Although the crates pose as local time utilities, their core behavior is credential and secret theft," security researcher Kirill Boychenko said . "They attempt to collect sensitive data from developer environments, most notably .env files, and exfiltrate it to threat actor-controlled infrastructure." While four of the aforementioned packages exhibit fairly straightforward ...
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Mar 09, 2026 Malware / Developer Security
Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. The package, named " @openclaw-ai/openclawai ," was uploaded to the registry by a user named "openclaw-ai" on March 3, 2026. It has been downloaded 178 times to date. The library is still available for download as of writing. JFrog, which discovered the package, said it's designed to steal system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, as well as install a persistent RAT with remote access capabilities, SOCKS5 proxy, and live browser session cloning. It's tracking the activity under the name GhostClaw. "The attack is notable for its broad data collection, its use of social engineering to harvest the victim's system password, and the sophistication of its persistence and C2 [command-and-contro...
Expert Insights Articles Videos
Cybersecurity Resources