Sign up for our newsletter!
Stay informed on the latest DevOps news

DevOps.com

Jeff Burt

open source, software, security, open-source, Lineaje, Linux, open source, report, study, Open source code

North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project

| Axios, CI/CD, Google Threat Intelligence Group, JavaScript dependencies, Mandiant, North Korea, remote access trojan (RAT), Socket, sonatype, supply chain attack, TeamPCP
The threat actor targeted a highly popular open source project with more than 100 million weekly downloads, creating a large "blast radius." ...
supply chain, software, Checkmarx, data, Endor, SCA, supply chain, security, workflows, supply chain, software, supply chain security, appsec, polyfill, software, supply chains, DevOps, DevSecOps, Google supply chain

Sophisticated Supply Chain Attack Targeting Trivy Expands to Checkmarx, LiteLLM

| AI (Artificial Intelligence), AI supply chain attacks, Aqua Security Trivy, Checkmarx, Cloud Security, credentials, exposed secrets, GitHub Actions, LiteLLM, microsoft, Palo Alto Networks, Sysdig, TeamPCP
The supply chain attack that compromised Aqua Security’s Trivy open source security vulnerability scanner and its associated GitHub Actions earlier this month continues to expand, with software development tools from Checkmarx and ...
Two Malicious npm Packages Aim to Steal Credentials and Other Secrets

Two Malicious npm Packages Aim to Steal Credentials and Other Secrets

| API Keys, CI/CD pipelines, credential theft, Data Exfiltration, exposed secrets, GitHub repositories, , malicious npm packages, sonatype
Bad actors took over a npm maintainer account and have published two malicious packages designed to steal credentials, API keys, and other secrets from the computers of victims who download them from ...
talent SRE Tidelift DevOps software, developers, testers, friends

N. Korean Famous Chollima Hackers Use Malicious npm Packages to Steal Data

| Contagious Interview, Famous Chollima, infostealer, linux, macOS, malicious npm packages, Microsoft Windows, Pastebin, remote access trojan (RAT), Socket, software developers, typosquatting
A group of more than two dozen malicious npm packages used to steal secrets and credentials from software developers has all the hallmarks – from infrastructure to operations – of Famous Chollima, ...
AI, AWS, agents, code, AI, code, spacelift, GitLab, Duo, AI, integrating Generative AI, with DevOps, BMC, generative AI, DevOps workflows, Generative AI, model, low-code/no-code, ChatGPT

Security Flaws in Anthropic’s Claude Code Risk Stolen Data, System Takeover

| AI API Security, AI coding risks, AI coding tools, AI developer tools, Anthropic Claude Code, Check Point, MCP protocol, Palo Alto Unit 42
Three critical vulnerabilities found in Anthropic’s Claude Code agentic AI developer tool could be exploited simply by cloning and opening an untrusted project and lead to system takeover, stolen API keys, and ...
CISA, secure by design, ReversingLabs, open-source, AI, cybersecurity, tooling, CISA Security Scribe ReversingLabs software supply chain cybersecurity - software supply chain security - risks - cyberattacks - Log4J - vulnerabilities

‘PackageGate’ Vulnerabilities Can Let Attackers Bypass Shai-Hulud Defenses

| Aikido Security, Bun, Git dependency, github, Koi Security, microsoft, npm registry, PhantomRaven, PNPM, remote code execution, Shai-Hulud worm, supply chain attack, VLT
In the wake of the massive Shai-Hulud supply chain attack that ripped through npm late last year and compromised more than 700 packages and exposed 25,000 repositories, developers in the JavaScript world ...
Jamf, Korea, code, hybrid, ai-powered, observability, insights, DevSecOps Cisco Chronosphere observability, data collection, Observe Google Splunk ServiceNow Logz.io observability Web3 developers CodeSee Survey Surfaces Slow But Steady DevSecOps Progress

N. Korea Contagious Interview Campaign Turns to VS Code to Deliver Backdoor

| backdoors, Contagious Interview, Git repositories, github, information stealing, Jamf, North Korea, remote code execution
Jamf security researchers said state-sponsored espionage actors are using malicious VS Code projects to steal information ...
CISA, secure by design, ReversingLabs, open-source, AI, cybersecurity, tooling, CISA Security Scribe ReversingLabs software supply chain cybersecurity - software supply chain security - risks - cyberattacks - Log4J - vulnerabilities

Attackers Testing New Strain of Shai-Hulud on npm: Aikido

| Aikido Security, GitHub repositories, information stealing, JavaScript, leaked secrets, npm registry, Shai-Hulud worm
Threat actors behind the virulent Shai-Hulud worm that wreaked havoc in open npm repositories toward the end of 2025 apparently are trying out a new strain that comes with slight modifications. Security ...
AI-based, software development, ai, code generation, repositories, GitHub, Arm, extension, GitHub, Copilot, Git, bloat, malicious, GitLab, memory-safe, CISA, agency, Skillsoft GitHub GitKraken code QA

Best of 2025: GitHub Action Compromise Risks Data Leaks for 23,000 Repositories

| GitHub Actions, leaked secrets, Python, software supply chain attacks
The attacker introduced malicious Python code that would expose secrets like authentication credentials in public repositories ...
AI, security

Best of 2025: AI-Generated Code Packages Can Lead to ‘Slopsquatting’ Threat

| AI code generation, AI hallucinations, Large Language Models, slopsquatting, software supply chain risks
AI hallucinations – the occasional tendency of large language models to respond to prompts with incorrect, inaccurate or made-up answers – have been an ongoing concern as the enterprise adoption of generative ...
Show More

Jeff Burt