The Hacker News

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Two fake spellchecker packages on PyPI hid a Python RAT in dictionary files, activating malware on import in version 1.2.0.
SecurityWeek

‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks

Vulnerabilities in the NPM, PNPM, VLT, and Bun package managers could lead to protection bypasses and arbitrary code ...
InfoWorld

Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud

A researcher at Koi Security says the two key platforms have not plugged the vulnerabilities enabling the worm attacks, and ...

Nederland approves $225M bond package to buy, improve Eldora Mountain Resort

The 1,500-person town in the mountains above Boulder takes another step toward acquiring the local ski mountain.
The Hacker News

CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution

A flaw in the binary-parser npm package before version 2.3.0 lets attackers execute arbitrary JavaScript via unsanitized parser input.

Meta's new president lands $60M stock package and $2M signing bonus

The social media company's latest hire brings Washington experience to a role working closely with CEO Mark Zuckerberg.
CSO Online

From typos to takeovers: Inside the industrialization of npm supply chain attacks

A dramatic spike in npm-focused intrusions shows how attackers have shifted from opportunistic typosquatting to systematic, ...
GitHub

John-pels/monorepo-template

monorepo-template/ ├── .github/ # GitHub workflows and templates │ ├── workflows/ │ │ ├── ci.yml # Continuous integration pipeline │ │ ├── release.yml # Release automation │ │ └── pr-checks.yml # Pull ...
E&E

Takeaways from Congress’ latest spending package

Lawmakers are moving to cut funding but rejecting severe reductions sought by the White House to energy and environment programs. Congressional appropriators’ latest bipartisan spending package, ...