The threat group behind the Miasma worm has expanded its attack surface to VS Code extensions, using them as a vector to compromise GitHub accounts and inject malicious code into open source projects.
2 sources
Coming in July 2026, npm v12 disables automatic install scripts, git dependencies, and remote URL resolution by default. Every frontend team needs an allowlist before the upgrade lands.
1 source
HackerOne launched an AI platform that autonomously discovers and validates security vulnerabilities. It combines agentic AI with the company's existing bug bounty triage data to reduce false positives and speed up remediation.
1 source
CVE-2026-11645 is the fifth Chrome zero-day exploited in 2026, an out-of-bounds read/write in the V8 JavaScript/WebAssembly engine. CVSS 8.8. Patch is in Chrome 149. The pace of Chrome zero-days is accelerating.
2 sources
CVE-2026-42826 lets unauthenticated attackers extract sensitive data from Azure DevOps with zero user interaction. CVSS score of 10.0, the highest possible. Here's what's exposed and how to check if you're patched.
2 sources
A coordinated campaign injected malicious code into 14 widely-used npm packages last week. We break down the affected packages, detection steps for your lockfile, and the one CI flag that catches this.
1 source