TrapDoor pushed more than 34 malicious packages across npm, PyPI, and Crates.io after May 22. The sharpest twist is not just credential theft, but the attempt to poison .cursorrules and CLAUDE.md files read by AI coding assistants.
#npm
RSS FeedAI May 25, 2026 2 min read
AI Hacker News May 12, 2026 1 min read
On May 11, 2026, an attacker chained three GitHub Actions vulnerabilities to publish 84 malicious versions across 42 @tanstack/* npm packages. Developers who installed affected versions must immediately rotate all credentials.
AI Hacker News Apr 25, 2026 3 min read
Hacker News treated the Bitwarden CLI compromise as the sort of GitHub Actions failure that becomes far more serious when the package sits near secrets, tokens, and password-manager workflows. By crawl time on April 25, 2026, the thread had 855 points and 416 comments.
AI Hacker News Mar 31, 2026 2 min read
StepSecurity’s March 31, 2026 disclosure turned a pair of malicious axios releases into a high-priority ecosystem warning. The affected packages used a fake dependency and a postinstall path to deliver a cross-platform RAT dropper.