Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Snyk

The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised

May 19, 2026 By Liran Tal In Snyk
The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework. The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.
Read Post
Snyk

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

May 18, 2026 By Liran Tal In Snyk
A supply chain attack affecting the @antv data visualization ecosystem and related npm packages is actively spreading through the npm registry. The attack, attributed to a threat group called TeamPCP and branded as another wave of the Mini Shai-Hulud campaign, published more than 300 malicious package versions across 323 packages in a 22-minute automated burst on May 19, 2026. The packages collectively represent approximately 16 million weekly downloads.
Read Post

Mini Shai-Hulud: The Most Sophisticated NPM Supply Chain Attack of 2026

May 18, 2026 By Snyk In Snyk
On May 11, 2026, the TanStack namespace was hit by a "Mini Shai-Hulud" supply chain attack. Unlike typical attacks, this did not involve stolen credentials; instead, the threat group TeamPCP hijacked the legitimate GitHub Actions release pipeline. This video covers the technical details of the OIDC token extraction, the "Dead Man's Switch" that triggers a rm -rf / upon credential revocation, and the mandatory remediation order you must follow to save your data. We also discuss how to harden your workflow using release-age cooldowns and OIDC pinning.
View Video
Snyk

Malicious node-ipc versions published to npm in suspected maintainer account compromise

May 15, 2026 By Brian Vermeer In Snyk
On May 14, 2026, multiple malicious versions of the popular npm package node-ipc were published to the npm registry. Current public reporting identifies node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 as compromised versions containing an obfuscated credential-stealing payload. The malicious code was added to the CommonJS bundle, node-ipc.cjs, and is triggered when the package is loaded through require("node-ipc").
Read Post
Snyk

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack

May 11, 2026 By Stephen Thoemmes In Snyk
On May 11, 2026, between 19:20 and 19:26 UTC, 84 malicious npm package artifacts were published across 42 packages in the @tanstack namespace. The packages were not published by an attacker who stole credentials; they were published by TanStack's legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow. The malicious versions spread to Mistral AI, UiPath, and dozens of other maintainers within hours.
Read Post
Snyk

Snyk Embeds Anthropic's Claude to Advance AI-Powered Security for Software Development

May 7, 2026 By Snyk In Snyk
BOSTON, May 7, 2026 — Snyk, the AI security company, today announced it is leveraging Anthropic's Claude models to advance software security in an era of AI-powered development. Starting today, Snyk has integrated Claude into the Snyk AI Security Platform — powering automated vulnerability discovery, prioritization, and developer-ready fixes across code, dependencies, containers, and AI-generated artifacts. The threat driving that integration is real and accelerating.
Read Post

GPT-5.5 vs Claude Opus 4.7: I Made Both Build an App - Here's What Happened

May 4, 2026 By Snyk In Snyk
GPT-5.5 vs Claude Opus 4.7 - two flagship AI models dropped one week apart, and both claim to be the best at agentic coding. We put that to the test by giving each model the exact same prompt: build a production-ready, secure note-taking application from scratch. But we didn't stop at reviewing the code. We actually tried to break it by running real security tests against each app to see whether AI-generated code can be trusted with user data. The results were not what we expected.
View Video
Snyk

lightning PyPI Compromise: A Bun-Based Credential Stealer in Python

Apr 30, 2026 By Stephen Thoemmes In Snyk
On April 30, 2026, two malicious releases of the popular lightning PyPI package were published, affecting the deep learning framework formerly distributed as pytorch-lightning. Versions 2.6.2 and 2.6.3 ship a hidden _runtime directory that downloads the Bun JavaScript runtime from GitHub at import time and uses it to execute an ~11 MB obfuscated credential stealer. The last clean release is 2.6.1, published January 30, 2026.
Read Post
Snyk

Bridging the Gap to Autonomous Fixes: Snyk and Atlassian Unveil Intelligent Remediation for Jira

Apr 29, 2026 By Jack Ryan In Snyk
Modern development teams are currently drowning in security debt, often trapped in a manual, fragmented cycle of "find and fix" that slows down innovation. Even when equipped with high-fidelity vulnerability data, traditional workflows require developers to constantly context-switch between Jira tickets and their codebases to manually implement and test patches.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.