Attackers compromised the update mechanisms of three WordPress plugins and distributed malware to over one million users through a supply-chain vulnerability.
Three popular WordPress plugins were abused to create attacker-controlled admin accounts and install backdoor plugins, deliberately targeting administrators as the attack vector.
npm blocks automatic package installation scripts by default starting with version 12, a practice that competitors like Yarn, pnpm, and Bun had already established.
Hades is a supply-chain malware that infects Python packages with specialized prompt-injection logic to compromise both automated LLM scanners and systems with memory access.
Simple attack techniques remain effective despite known countermeasures, while undetected intrusions over extended periods revealed gaps in anomaly detection.
Microsoft disabled 73 GitHub repositories following a compromise by the Miasma worm, responding to a direct supply-chain attack on its developer infrastructure.