On May 11, 2026, an attacker chained three GitHub Actions vulnerabilities to publish 84 malicious versions across 42 @tanstack/* npm packages. Developers who installed affected versions must immediately rotate all credentials.
Cloudflare said on March 30, 2026 that its advanced Client-Side Security tools are now available to all users. Cloudflare's blog says the release combines graph neural networks with LLM triage, cuts false positives by up to 200x, and makes advanced client-side protections self-serve while adding complimentary domain-based threat intelligence in the free bundle.
StepSecurity’s March 31, 2026 disclosure turned a pair of malicious axios releases into a high-priority ecosystem warning. The affected packages used a fake dependency and a postinstall path to deliver a cross-platform RAT dropper.