IntroductionOn May 14, 2026, the Zscaler ThreatLabz team identified unusually high activity associated with the threat actor SmartApeSG to deploy malware. During our examination, we discovered ...

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based ...

TAJS is a dataflow analysis for JavaScript that infers type information and call graphs. The current version of the analysis contains a model of ECMAScript 3rd edition, including the standard library, ...

Microsoft Threat Intelligence analyzed a cryptocurrency clipper campaign that combines clipboard theft, wallet replacement, ...

To understand the urgency of the patch, we examine the technical flaw behind CVE-2026-11645. CVE-2026-11645 is an ...

With the proper setup and guidance, you can have Claude Code, Codex, Posit Assistant, and other coding agents writing R code ...

Mastra npm packages added easy-day-js malware, exposing developer systems and CI runners to infostealer risks.

Over 100 NPM and PyPI packages were injected with malicious code in the Miasma and Hades Shai-Hulud supply chain attack ...

If necessary you can ignore certain files or directories using the option --ignore-pattern. For example, to ignore vendored code to focus on problems in your own project you can use: Detect cases of ...

A poisoned npm package infected 140+ projects with a hidden payload. This report highlights how to detect, hunt, and defend ...

The Miasma credential-stealing attack framework, which has recently targeted open-source ecosystems through supply-chain ...

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was ...