Cybernews

Code trust crisis: Is it safe to update your system during an active supply chain attack?

Language package managers like pip, npm, and others pose a high risk during active supply chain attacks. However, OS updates ...
XDA Developers on MSN

A popular Python library just became a backdoor to your entire machine

Supply chain attacks feel like they're becoming more and more common.

Tesla's former VP Andrej Karpathy shares AI coding 'horror', 'Python supply chain attack ...

Andrej Karpathy, the former Tesla AI director and OpenAI cofounder, is calling a recent Python package attack \"software ...
Cybernews

Critical Python supply chain compromise: how library used by millions of AI developers got ...

LiteLLM, a massively popular Python library, was compromised via a supply chain attack, resulting in the delivery of ...
Cryptopolitan on MSN

Axios supply chain attack raises risk to crypto wallets

Up to four npm packages on Axios were replaced with malicious versions, in one of the most sophisticated supply chain attacks ...
腾讯网

Karpathy紧急警告:月下载近亿的LiteLLM被投毒!已有开发者因Cursor MCP ...

但是也有人质疑卡帕西的“利用LLM提取功能”的这一措施,表示“只是把一个未经审查的代码库换成了一个LLM输出的而已”。这个就比较见仁见智了,使用LLM过滤一遍对提高代码安全性是否存在帮助依然非常依赖提示词。

担心的事还是发生了,真有人给龙虾“投毒”

如果你最近在用OpenClaw跑Agent、装Skill,或者即便只是正常装了几个常见依赖,那你可得好好注意了! 今日,资深开发者Daniel ...
The Hacker News

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 compromised Axios 1.14.1 and 0.30.4 via social engineering, impacting 100M weekly downloads and exposing supply ...
Bleeping Computer

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions. Evidence ...