Trusted Publishing
-
Researchers find VS Code extensions that install stealer malware, Microsoft removes packages
Researchers and security firms found two malicious Visual Studio Code extensions that stole credentials, screenshots and browser data; Microsoft removed the packages and analysts warned developers to review extensions and supply-chain risks.
-
Malicious Rust crate ‘evm‑units’ delivered cross‑platform payloads and targeted Web3 developers
A malicious Rust crate named evm‑units masqueraded as an Ethereum helper and delivered platform‑specific payloads to Windows, macOS and Linux machines. Published by a crates.io user called ablerust and included as a dependency of uniswap‑utils, the package fetched and executed scripts or PowerShell based on the host OS and the presence of Qihoo 360 antivirus,…
-
Glassworm malware returns with 24 malicious VS Code packages on OpenVSX and Microsoft marketplace
The Glassworm malware has returned in a third wave with 24 malicious VS Code extension packages on OpenVSX and the Microsoft Visual Studio Marketplace, using obfuscation and Rust‑based implants to steal credentials, deploy proxies and enable remote access.
-
High-severity parsing flaw in async-tar and forks could enable file overwrite and RCE
A boundary parsing flaw in async-tar and forks including tokio-tar, tracked as CVE-2025-62518 and dubbed TARmageddon, can allow nested TARs to be treated as outer entries and be used to overwrite files and enable remote code execution; users are advised to migrate to astral-tokio-tar v0.5.6.
-
Malicious Rust crates impersonating fast_log steal Solana and Ethereum wallet keys, researchers say
Cybersecurity researchers say two malicious Rust crates impersonating the fast_log logging library were used to harvest Solana and Ethereum wallet keys from source code, with Crates.io removing the packages and preserving logs for analysis after responsible disclosure.
-
GitHub outlines changes to harden npm after self-replicating worm incident
GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
-
GitHub Tightens npm Publishing Security with 2FA, Short-Lived Tokens and Trusted Publishing
GitHub announced a sweeping set of security measures for npm publishing, including deprecating legacy tokens, migrating to FIDO-based 2FA, and introducing seven-day, short-lived granular tokens plus trusted publishing that uses OpenID Connect and cryptographic provenance attestations to bolster npm’s supply-chain security.
