Morning Overview on MSN

Malicious open-source packages have surged 73% in 2026 as attackers poison the software ...

In March 2026, someone hijacked a maintainer account for Axios, a JavaScript HTTP library downloaded more than 45 million ...
EconoTimes

OpenAI Finds No Evidence of User Data Breach in TanStack npm Supply-Chain Attack

OpenAI confirmed on Wednesday that it found no evidence suggesting user data was compromised following a security incident ...
Ars Technica

Open source package with 1 million monthly downloads stole user credentials

Open source software with more than 1 million monthly downloads was compromised after a threat actor exploited a vulnerability in the developers’ account workflow that gave access to its signing keys ...

Critical vm2 sandbox bug lets attackers execute code on hosts

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary ...
Bleeping Computer

Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining

Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers. Exploitation started in early February, ...
来自MSN

Top open source PyPI package with over 1 million downloads each month hacked to send out ...

A widely used PyPI package was recently compromised through a malicious update The attack leveraged a GitHub Actions workflow to push infostealer code into a release Maintainers quickly issued a clean ...
CSO Online

13 new critical holes in JavaScript sandbox allow execution of arbitrary code

Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code ...
The Hacker News

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm ...
MIT Technology Review

China’s open-source bet

The country’s top AI labs are undercutting US competitors and winning over developers by making their best models free. Silicon Valley AI companies follow a familiar playbook: Keep the secret sauce ...
CoinTelegraph

Kelp exploit highlights problem with non-isolated DeFi lending: Crypto execs

The contagion from the Kelp exploit could have been contained, but at the cost of capital efficiency, according to the founder of Curve Finance. The exploit of the Kelp liquid restaking protocol shows ...
CoinTelegraph

LayerZero says Kelp setup caused exploit, as Aave loss questions mount

LayerZero said that Kelp’s DVN setup caused the $290 million exploit, as investors questioned which protocol would step up to cover the shortfall. Interoperability protocol LayerZero claims that an ...
Green Bay Press-Gazette

Konstrukt’s Omakase Player Powers Native Open-Source Player for Time Addressable Media Store

The announcement comes as TAMS, an open-source API specification based on a practical implementation of Time Addressable Media principles developed by BBC Research & Development, is well-positioned to ...