Supply-chain attack using invisible code hits GitHub and other repositories

Researchers say they’ve discovered a supply-chain attack flooding repositories with malicious packages that contain invisible ...

OpenAI’s Codex Security: An AI Agent That Hunts Down Vulnerabilities

OpenAI launches Codex Security, an AI agent-vulnerability scanner that helps developers find and fix high-impact holes in their code.
MIT Technology Review

The Download: AI’s role in the Iran war, and an escalating legal fight

Much of the spotlight on AI in the Iran conflict has focused on models like Claude helping the US military decide where to ...
The Hacker News

Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft

Malicious Chrome extensions tied to ownership transfers push malware and steal data, exposing thousands to credential theft ...
InfoQ

GitHub Data Shows AI Tools Creating "Convenience Loops" That Reshape Developer Language Choices

GitHub’s Octoverse 2025 report reveals a "convenience loop" where AI coding assistants drive language choice. TypeScript’s 66 ...

Chrome Extension Hijacked to Deliver Malware, Steal Crypto Wallets

A compromised Chrome extension with 7,000 users was updated to deploy malware, strip security headers, and steal ...
VentureBeat

Browser-based attacks hit 95% of enterprises — and traditional security tools never saw them coming

Your web gateway can't see it. Your cloud access broker can't see it. Your endpoint protection can't see it. And yet 95% of organizations experienced browser-based ...
IEEE

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

Abstract: With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first ...
Android Police

How to find downloads on your Android phone or tablet

Faith writes guides, how-tos, and roundups on the latest Android games and apps for Android Police. You'll find her writing about the newest free-to-play game to hit Android or discussing her paranoia ...
Bleeping Computer

GhostPoster attacks hide malicious JavaScript in Firefox addon logos

A new campaign dubbed 'GhostPoster' is hiding JavaScript code in the image logo of malicious Firefox extensions with more than 50,000 downloads, to monitor browser activity and plant a backdoor. The ...
GitHub

[Announcement] External JavaScript runtime now required for full YouTube support

While yt-dlp-ejs and the external JavaScript runtimes are currently only used with YouTube, yt-dlp's usage of these may be expanded in the future (and necessarily so) If this guidance is insufficient, ...
Bleeping Computer

Popular JavaScript library expr-eval vulnerable to RCE flaw

A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. The ...