Thousands of secrets such as PyPI and AWS keys, GitHub tokens, and more, were stolen recently during a supply-chain attack against GitHub, dubbed ‘GhostAction’. The attack was spotted by security ...

Hundreds of compromised packages pulled as registry shifts to 2FA and trusted publishing GitHub, which owns the npm registry ...

In the light of recent supply chain attacks targeting the NPM ecosystem, GitHub will implement tighter authentication and ...

The Python Software Foundation team has invalidated all PyPI tokens stolen in the GhostAction supply chain attack in early ...

On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated ...

The bundle.js script is designed to steal npm, GitHub, AWS and GCP tokens. But it also installs TruffleHog – an open source ...

Since launching out of Y Combinator's Winter 2024 batch, Blacksmith has steadily grown to $1M in ARR, with revenue tripling in just the past four months. More than 800 companies, including Ashby, ...

Many open-source repositories contain privileged GitHub Actions workflows that execute untrusted code and can be triggered by attackers to expose credentials and access tokens, as MITRE and Splunk ...

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...

A monthly overview of things you need to know as an architect or aspiring architect. Unlock the full InfoQ experience by logging in! Stay updated with your favorite authors and topics, engage with ...

A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The ...