Security researchers from ReversingLabs have uncovered a series of high-profile compromises targeting popular open-source packages, highlighting the growing risk of malicious code infiltration in widely-used software tools. The researchers discovered cryptomining malware had been injected into packages associated with rspack and vant. The compromises of these frequently downloaded tools were made possible using stolen npm tokens.
Packagist Warns: Update Composer Now After GitHub Actions Token Leak
A sudden change in GitHub’s token format has triggered an unexpected security vulnerability in Composer, exposing sensitive authentication tokens in CI/CD logs and forcing Packagist
