developer-security

GlassWorm Is Hiding Malware in Invisible Code and Pushing It Into Your Python Repos

John Z Black Mar 17, 2026

Supply Chain & Software Security #supply-chain #glassworm #github #python #malware #unicode #developer-security

GlassWorm steals GitHub tokens, then injects malicious code written in invisible Unicode characters into repos developers already trust. 151 packages hit in one week.

The Software You Trust Is Becoming the Attack: Two Supply-Chain Strikes in One Week

John Z Black Mar 15, 2026

Threat Intelligence #supply-chain #developer-security #vs-code #appsflyer #malware #sdk-security

GlassWorm hijacked VS Code extension dependencies. AppsFlyer's SDK got compromised to serve crypto stealers. Both attacks exploited trust, not carelessness.

Developer Supply Chains Under Coordinated Assault: 88 Malicious npm Packages and a CVSS 9.8 in simple-git

John Z Black Mar 12, 2026

Developer Security #npm #supply-chain #developer-security #phantomraven #simple-git #ci-cd #aws #devsecops

PhantomRaven dropped 88 malicious npm packages targeting AWS credentials and CI secrets. A critical RCE in simple-git threatens millions of dev environments. Your developer toolchain is a target.