CyberSecurity Updates

A fresh Mini Shai-Hulud supply chain attack has hit over 320 NPM packages, along with GitHub Actions and a VS Code extension, security researchers report. The NPM maintainer account ‘atool’, which has access to multiple packages across the @antv namespace, and which publishes timeago.js (1.5 million weekly downloads), was compromised and used to publish malicious package versions. The attack propagated downstream to other highly popular packages, including echarts-for-react (~1.1 million weekly downloads), “impacting a much…

The notorious B1ack’s Stash dark web carding marketplace has announced the free download of 4.6 million stolen credit card records. The data, it says, was dumped after sellers were caught reselling card data purchased from B1ack’s Stash on competing platforms, a violation of the marketplace’s policies. B1ack’s Stash allegedly suspended 8 million stolen CVV2 records in response to the sellers’ misconduct, and decided to release the card data for free, instead of deleting it from…

Technical details and proof-of-concept (PoC) exploit code targeting a newly patched critical-severity vulnerability in NGINX are now available. Tracked as CVE-2026-42945 (CVSS score of 9.2), the issue was patched in the widely used web server this week as part of F5’s latest quarterly patch release, 16 years after it was introduced. The bug is described as a heap buffer overflow in the ngx_http_rewrite_module component that could be exploited to trigger a restart, creating a denial-of-service…

SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape. This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment. Here are this week’s highlights: Nvidia cloud gaming partner suffers data breach Nvidia has confirmed that…

OpenAI has disclosed the impact of the recent TanStack supply chain attack, warning that credential material was exfiltrated from internal source code repositories. The open source web application development stack TanStack was hit on May 11, when the TeamPCP hacking group exploited security weaknesses in the package publishing process to release 84 malicious artifacts across 42 packages. Over 170 packages across several high-profile NPM and PyPI namespaces were compromised on the same day as part…