@withgoogle/stitch-sdk: Scope Squat Harvests Developer Credentials
A malicious npm package squats the @withgoogle scope to impersonate Google Stitch, silently harvesting credentials from Claude Code, git, GitHub CLI, SSH keys, npm, and Docker on install.
Read the full articleYou might also wanna read
npm malware targeting Claude users leaks own GitHub token, reaches 676 downloads
Script kiddies these days
Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositor
aikido.dev·3mo agoGlassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code
The Glassworm supply chain attack is back. Researchers uncovered malware hidden in invisible Unicode characters across 150+ GitHub repositor
aikido.dev·3mo agoGitHub Confirms Breach of Internal Repositories Via Malicious VS Code Extension
The prolific threat group TeamPCP has claimed a hack into GitHub’s internal repositories
Open-Source Repo Plants Auth Bugs to Test Whether AI Coding Agents Can Catch Them
A developer tool called FetchSandbox has published an open-source GitHub repository containing intentionally planted security vulnerabilitie
Post-mortem Analysis of @ctrl/tinycolor npm Supply Chain Attack via GitHub Actions
Lessons learned from becoming the unexpected face of a npm supply-chain attack.
Undocumented Claude Code Features Revealed Through Source Code Analysis
Hook fields that rewrite commands mid-flight, persistent agent memory, auto-mode rules in plain English, self-improving dream loops, and eve

Comments
Sign in to join the conversation.
No comments yet. Be the first.