Mini Shai-Hulud: The Worm Turning CI/CD Into an Attack Surface

Veracode Threat Research

By Veracode Threat Research

We are tracking a wave of activity targeting npm packages and JavaScript development infrastructure. This campaign is focused on CI/CD environments, maintainer workflows, and trusted publishing systems. The malware is designed to harvest developer and CI/CD secrets, abuse GitHub Actions workflows, and propagate through compromised publishing pipelines.

Most software supply-chain attacks follow a familiar pattern: upload a compromised package, inject malicious code, steal credentials, and move on.

The modern JavaScript ecosystem built an environment that is extremely good at moving software quickly. It also turns out to be extremely good at moving malware quickly.

What the Malware Is Doing

Across multiple samples, the malware is designed to:

  • harvest npm and GitHub tokens
  • collect CI/CD secrets and environment variables
  • abuse GitHub Actions workflows
  • modify publishing pipelines
  • propagate through maintainer-controlled repositories

Several samples also used Bun-based payload execution instead of relying entirely on traditional Node.js runtime behavior.

This is notable because many runtime detections and monitoring workflows remain heavily focused on Node.js execution patterns.

GitHub Actions Abuse

A consistent themes across the observed compromises is abuse of GitHub Actions workflows and overprivileged CI environments.

In multiple cases, attackers appear to leverage access to trusted publishing workflows to obtain repository and package publishing access.

Workflows using pull_request_target remain especially risky when combined with untrusted code execution.

Once malicious code executes inside a privileged runner, attackers may be able to:

  • access repository secrets
  • steal npm and GitHub tokens
  • tamper with release workflows
  • publish malicious package versions
  • persist through automation systems

Many affected environments also appear to grant broader workflow permissions than necessary.

Propagation Through Trusted Publishing

Unlike traditional npm malware that primarily relies on downstream installs, Mini Shai-Hulud is spread through developer infrastructure itself and abusing trusted publishing paths and CI/CD identities to push additional compromised releases.

That propagation behavior is one of the more concerning aspects of the campaign because it allows legitimate automation infrastructure to become part of the distribution path.

Defensive Recommendations

Organizations using GitHub Actions and automated npm publishing workflows should review:

  • workflow permissions
  • publishing token scopes
  • CI/CD secret exposure
  • maintainer account protections
  • trusted publishing configurations
  • runner isolation controls

We also recommend:

  • restricting GitHub Actions permissions wherever possible
  • reviewing pull_request_target usage
  • rotating publishing credentials
  • isolating CI/CD runners from sensitive infrastructure
  • monitoring package publication activity for anomalies

Ongoing Investigation

The full scope of affected packages and repositories is still evolving.

As additional compromises are identified, package lists and indicators may continue changing.

Currently Known Affected Packages

pkg:npm/@beproduct/nestjs-auth@0.1.10 pkg:npm/@beproduct/nestjs-auth@0.1.11 pkg:npm/@beproduct/nestjs-auth@0.1.12 pkg:npm/@beproduct/nestjs-auth@0.1.13 pkg:npm/@beproduct/nestjs-auth@0.1.14 pkg:npm/@beproduct/nestjs-auth@0.1.15 pkg:npm/@beproduct/nestjs-auth@0.1.16 pkg:npm/@beproduct/nestjs-auth@0.1.17 pkg:npm/@beproduct/nestjs-auth@0.1.18 pkg:npm/@beproduct/nestjs-auth@0.1.19 pkg:npm/@beproduct/nestjs-auth@0.1.2 pkg:npm/@beproduct/nestjs-auth@0.1.3 pkg:npm/@beproduct/nestjs-auth@0.1.4 pkg:npm/@beproduct/nestjs-auth@0.1.5 pkg:npm/@beproduct/nestjs-auth@0.1.6 pkg:npm/@beproduct/nestjs-auth@0.1.7 pkg:npm/@beproduct/nestjs-auth@0.1.8 pkg:npm/@beproduct/nestjs-auth@0.1.9 pkg:npm/@dirigible-ai/sdk@0.6.2 pkg:npm/@dirigible-ai/sdk@0.6.3 pkg:npm/@draftauth/client@0.2.1 pkg:npm/@draftauth/client@0.2.2 pkg:npm/@draftauth/core@0.13.1 pkg:npm/@draftauth/core@0.13.2 pkg:npm/@draftlab/auth@0.24.1 pkg:npm/@draftlab/auth@0.24.2 pkg:npm/@draftlab/auth-router@0.5.1 pkg:npm/@draftlab/auth-router@0.5.2 pkg:npm/@draftlab/db@0.16.1 pkg:npm/@draftlab/db@0.16.2 pkg:npm/@mesadev/rest@0.28.3 pkg:npm/@mesadev/saguaro@0.4.22 pkg:npm/@mesadev/sdk@0.28.3 pkg:npm/@mistralai/mistralai@2.2.2 pkg:npm/@mistralai/mistralai@2.2.3 pkg:npm/@mistralai/mistralai@2.2.4 pkg:npm/@mistralai/mistralai-azure@1.7.1 pkg:npm/@mistralai/mistralai-azure@1.7.2 pkg:npm/@mistralai/mistralai-azure@1.7.3 pkg:npm/@mistralai/mistralai-gcp@1.7.1 pkg:npm/@mistralai/mistralai-gcp@1.7.2 pkg:npm/@mistralai/mistralai-gcp@1.7.3 pkg:npm/@ml-toolkit-ts/preprocessing@1.0.2 pkg:npm/@ml-toolkit-ts/preprocessing@1.0.3 pkg:npm/@ml-toolkit-ts/xgboost@1.0.3 pkg:npm/@ml-toolkit-ts/xgboost@1.0.4 pkg:npm/@opensearch-project/opensearch@3.6.2 pkg:npm/@squawk/airport-data@0.7.4 pkg:npm/@squawk/airport-data@0.7.5 pkg:npm/@squawk/airport-data@0.7.6 pkg:npm/@squawk/airport-data@0.7.7 pkg:npm/@squawk/airport-data@0.7.8 pkg:npm/@squawk/airports@0.6.2 pkg:npm/@squawk/airports@0.6.3 pkg:npm/@squawk/airports@0.6.4 pkg:npm/@squawk/airports@0.6.5 pkg:npm/@squawk/airports@0.6.6 pkg:npm/@squawk/airspace@0.8.1 pkg:npm/@squawk/airspace@0.8.2 pkg:npm/@squawk/airspace@0.8.3 pkg:npm/@squawk/airspace@0.8.4 pkg:npm/@squawk/airspace@0.8.5 pkg:npm/@squawk/airspace-data@0.5.3 pkg:npm/@squawk/airspace-data@0.5.4 pkg:npm/@squawk/airspace-data@0.5.5 pkg:npm/@squawk/airspace-data@0.5.6 pkg:npm/@squawk/airspace-data@0.5.7 pkg:npm/@squawk/airway-data@0.5.4 pkg:npm/@squawk/airway-data@0.5.5 pkg:npm/@squawk/airway-data@0.5.6 pkg:npm/@squawk/airway-data@0.5.7 pkg:npm/@squawk/airway-data@0.5.8 pkg:npm/@squawk/airways@0.4.2 pkg:npm/@squawk/airways@0.4.3 pkg:npm/@squawk/airways@0.4.4 pkg:npm/@squawk/airways@0.4.5 pkg:npm/@squawk/airways@0.4.6 pkg:npm/@squawk/fix-data@0.6.4 pkg:npm/@squawk/fix-data@0.6.5 pkg:npm/@squawk/fix-data@0.6.6 pkg:npm/@squawk/fix-data@0.6.7 pkg:npm/@squawk/fix-data@0.6.8 pkg:npm/@squawk/fixes@0.3.2 pkg:npm/@squawk/fixes@0.3.3 pkg:npm/@squawk/fixes@0.3.4 pkg:npm/@squawk/fixes@0.3.5 pkg:npm/@squawk/fixes@0.3.6 pkg:npm/@squawk/flight-math@0.5.4 pkg:npm/@squawk/flight-math@0.5.5 pkg:npm/@squawk/flight-math@0.5.6 pkg:npm/@squawk/flight-math@0.5.7 pkg:npm/@squawk/flight-math@0.5.8 pkg:npm/@squawk/flightplan@0.5.2 pkg:npm/@squawk/flightplan@0.5.3 pkg:npm/@squawk/flightplan@0.5.4 pkg:npm/@squawk/flightplan@0.5.5 pkg:npm/@squawk/flightplan@0.5.6 pkg:npm/@squawk/geo@0.4.4 pkg:npm/@squawk/geo@0.4.5 pkg:npm/@squawk/geo@0.4.6 pkg:npm/@squawk/geo@0.4.7 pkg:npm/@squawk/geo@0.4.8 pkg:npm/@squawk/icao-registry@0.5.2 pkg:npm/@squawk/icao-registry@0.5.3 pkg:npm/@squawk/icao-registry@0.5.4 pkg:npm/@squawk/icao-registry@0.5.5 pkg:npm/@squawk/icao-registry@0.5.6 pkg:npm/@squawk/icao-registry-data@0.8.4 pkg:npm/@squawk/icao-registry-data@0.8.5 pkg:npm/@squawk/icao-registry-data@0.8.6 pkg:npm/@squawk/icao-registry-data@0.8.7 pkg:npm/@squawk/icao-registry-data@0.8.8 pkg:npm/@squawk/mcp@0.9.1 pkg:npm/@squawk/mcp@0.9.2 pkg:npm/@squawk/mcp@0.9.3 pkg:npm/@squawk/mcp@0.9.4 pkg:npm/@squawk/mcp@0.9.5 pkg:npm/@squawk/navaid-data@0.6.4 pkg:npm/@squawk/navaid-data@0.6.5 pkg:npm/@squawk/navaid-data@0.6.6 pkg:npm/@squawk/navaid-data@0.6.7 pkg:npm/@squawk/navaid-data@0.6.8 pkg:npm/@squawk/navaids@0.4.2 pkg:npm/@squawk/navaids@0.4.3 pkg:npm/@squawk/navaids@0.4.4 pkg:npm/@squawk/navaids@0.4.5 pkg:npm/@squawk/navaids@0.4.6 pkg:npm/@squawk/notams@0.3.10 pkg:npm/@squawk/notams@0.3.6 pkg:npm/@squawk/notams@0.3.7 pkg:npm/@squawk/notams@0.3.8 pkg:npm/@squawk/notams@0.3.9 pkg:npm/@squawk/procedure-data@0.7.3 pkg:npm/@squawk/procedure-data@0.7.4 pkg:npm/@squawk/procedure-data@0.7.5 pkg:npm/@squawk/procedure-data@0.7.6 pkg:npm/@squawk/procedure-data@0.7.7 pkg:npm/@squawk/procedures@0.5.2 pkg:npm/@squawk/procedures@0.5.3 pkg:npm/@squawk/procedures@0.5.4 pkg:npm/@squawk/procedures@0.5.5 pkg:npm/@squawk/procedures@0.5.6 pkg:npm/@squawk/types@0.8.1 pkg:npm/@squawk/types@0.8.2 pkg:npm/@squawk/types@0.8.3 pkg:npm/@squawk/types@0.8.4 pkg:npm/@squawk/types@0.8.5 pkg:npm/@squawk/units@0.4.3 pkg:npm/@squawk/units@0.4.4 pkg:npm/@squawk/units@0.4.5 pkg:npm/@squawk/units@0.4.6 pkg:npm/@squawk/units@0.4.7 pkg:npm/@squawk/weather@0.5.10 pkg:npm/@squawk/weather@0.5.6 pkg:npm/@squawk/weather@0.5.7 pkg:npm/@squawk/weather@0.5.8 pkg:npm/@squawk/weather@0.5.9 pkg:npm/@supersurkhet/cli@0.0.2 pkg:npm/@supersurkhet/cli@0.0.3 pkg:npm/@supersurkhet/cli@0.0.4 pkg:npm/@supersurkhet/cli@0.0.5 pkg:npm/@supersurkhet/cli@0.0.6 pkg:npm/@supersurkhet/cli@0.0.7 pkg:npm/@supersurkhet/sdk@0.0.2 pkg:npm/@supersurkhet/sdk@0.0.3 pkg:npm/@supersurkhet/sdk@0.0.4 pkg:npm/@supersurkhet/sdk@0.0.5 pkg:npm/@supersurkhet/sdk@0.0.6 pkg:npm/@supersurkhet/sdk@0.0.7 pkg:npm/@tallyui/components@1.0.1 pkg:npm/@tallyui/components@1.0.2 pkg:npm/@tallyui/components@1.0.3 pkg:npm/@tallyui/connector-medusa@1.0.1 pkg:npm/@tallyui/connector-medusa@1.0.2 pkg:npm/@tallyui/connector-medusa@1.0.3 pkg:npm/@tallyui/connector-shopify@1.0.1 pkg:npm/@tallyui/connector-shopify@1.0.2 pkg:npm/@tallyui/connector-shopify@1.0.3 pkg:npm/@tallyui/connector-vendure@1.0.1 pkg:npm/@tallyui/connector-vendure@1.0.2 pkg:npm/@tallyui/connector-vendure@1.0.3 pkg:npm/@tallyui/connector-woocommerce@1.0.1 pkg:npm/@tallyui/connector-woocommerce@1.0.2 pkg:npm/@tallyui/connector-woocommerce@1.0.3 pkg:npm/@tallyui/core@0.2.1 pkg:npm/@tallyui/core@0.2.2 pkg:npm/@tallyui/core@0.2.3 pkg:npm/@tallyui/database@1.0.1 pkg:npm/@tallyui/database@1.0.2 pkg:npm/@tallyui/database@1.0.3 pkg:npm/@tallyui/pos@0.1.1 pkg:npm/@tallyui/pos@0.1.2 pkg:npm/@tallyui/pos@0.1.3 pkg:npm/@tallyui/storage-sqlite@0.2.1 pkg:npm/@tallyui/storage-sqlite@0.2.2 pkg:npm/@tallyui/storage-sqlite@0.2.3 pkg:npm/@tallyui/theme@0.2.1 pkg:npm/@tallyui/theme@0.2.2 pkg:npm/@tallyui/theme@0.2.3 pkg:npm/@tanstack/arktype-adapter@1.166.12 pkg:npm/@tanstack/arktype-adapter@1.166.15 pkg:npm/@tanstack/eslint-plugin-router@1.161.12 pkg:npm/@tanstack/eslint-plugin-router@1.161.9 pkg:npm/@tanstack/eslint-plugin-start@0.0.4 pkg:npm/@tanstack/eslint-plugin-start@0.0.7 pkg:npm/@tanstack/history@1.161.12 pkg:npm/@tanstack/history@1.161.9 pkg:npm/@tanstack/nitro-v2-vite-plugin@1.154.12 pkg:npm/@tanstack/nitro-v2-vite-plugin@1.154.15 pkg:npm/@tanstack/react-router@1.169.5 pkg:npm/@tanstack/react-router@1.169.8 pkg:npm/@tanstack/react-router-devtools@1.166.16 pkg:npm/@tanstack/react-router-devtools@1.166.19 pkg:npm/@tanstack/react-router-ssr-query@1.166.15 pkg:npm/@tanstack/react-router-ssr-query@1.166.18 pkg:npm/@tanstack/react-start@1.167.68 pkg:npm/@tanstack/react-start@1.167.71 pkg:npm/@tanstack/react-start-client@1.166.51 pkg:npm/@tanstack/react-start-client@1.166.54 pkg:npm/@tanstack/react-start-rsc@0.0.47 pkg:npm/@tanstack/react-start-rsc@0.0.50 pkg:npm/@tanstack/react-start-server@1.166.55 pkg:npm/@tanstack/react-start-server@1.166.58 pkg:npm/@tanstack/router-cli@1.166.46 pkg:npm/@tanstack/router-cli@1.166.49 pkg:npm/@tanstack/router-core@1.169.5 pkg:npm/@tanstack/router-core@1.169.8 pkg:npm/@tanstack/router-devtools@1.166.16 pkg:npm/@tanstack/router-devtools@1.166.19 pkg:npm/@tanstack/router-devtools-core@1.167.6 pkg:npm/@tanstack/router-devtools-core@1.167.9 pkg:npm/@tanstack/router-generator@1.166.45 pkg:npm/@tanstack/router-generator@1.166.48 pkg:npm/@tanstack/router-plugin@1.167.38 pkg:npm/@tanstack/router-plugin@1.167.41 pkg:npm/@tanstack/router-ssr-query-core@1.168.3 pkg:npm/@tanstack/router-ssr-query-core@1.168.6 pkg:npm/@tanstack/router-utils@1.161.11 pkg:npm/@tanstack/router-utils@1.161.14 pkg:npm/@tanstack/router-vite-plugin@1.166.53 pkg:npm/@tanstack/router-vite-plugin@1.166.56 pkg:npm/@tanstack/solid-router@1.169.5 pkg:npm/@tanstack/solid-router@1.169.8 pkg:npm/@tanstack/solid-router-devtools@1.166.16 pkg:npm/@tanstack/solid-router-devtools@1.166.19 pkg:npm/@tanstack/solid-router-ssr-query@1.166.15 pkg:npm/@tanstack/solid-router-ssr-query@1.166.18 pkg:npm/@tanstack/solid-start@1.167.65 pkg:npm/@tanstack/solid-start@1.167.68 pkg:npm/@tanstack/solid-start-client@1.166.50 pkg:npm/@tanstack/solid-start-client@1.166.53 pkg:npm/@tanstack/solid-start-server@1.166.54 pkg:npm/@tanstack/solid-start-server@1.166.57 pkg:npm/@tanstack/start-client-core@1.168.5 pkg:npm/@tanstack/start-client-core@1.168.8 pkg:npm/@tanstack/start-fn-stubs@1.161.12 pkg:npm/@tanstack/start-fn-stubs@1.161.9 pkg:npm/@tanstack/start-plugin-core@1.169.23 pkg:npm/@tanstack/start-plugin-core@1.169.26 pkg:npm/@tanstack/start-server-core@1.167.33 pkg:npm/@tanstack/start-server-core@1.167.36 pkg:npm/@tanstack/start-static-server-functions@1.166.44 pkg:npm/@tanstack/start-static-server-functions@1.166.47 pkg:npm/@tanstack/start-storage-context@1.166.38 pkg:npm/@tanstack/start-storage-context@1.166.41 pkg:npm/@tanstack/valibot-adapter@1.166.12 pkg:npm/@tanstack/valibot-adapter@1.166.15 pkg:npm/@tanstack/virtual-file-routes@1.161.10 pkg:npm/@tanstack/virtual-file-routes@1.161.13 pkg:npm/@tanstack/vue-router@1.169.5 pkg:npm/@tanstack/vue-router@1.169.8 pkg:npm/@tanstack/vue-router-devtools@1.166.16 pkg:npm/@tanstack/vue-router-devtools@1.166.19 pkg:npm/@tanstack/vue-router-ssr-query@1.166.15 pkg:npm/@tanstack/vue-router-ssr-query@1.166.18 pkg:npm/@tanstack/vue-start@1.167.61 pkg:npm/@tanstack/vue-start@1.167.64 pkg:npm/@tanstack/vue-start-client@1.166.46 pkg:npm/@tanstack/vue-start-client@1.166.49 pkg:npm/@tanstack/vue-start-server@1.166.50 pkg:npm/@tanstack/vue-start-server@1.166.53 pkg:npm/@tanstack/zod-adapter@1.166.12 pkg:npm/@tanstack/zod-adapter@1.166.15 pkg:npm/@taskflow-corp/cli@0.1.24 pkg:npm/@taskflow-corp/cli@0.1.25 pkg:npm/@taskflow-corp/cli@0.1.26 pkg:npm/@taskflow-corp/cli@0.1.27 pkg:npm/@taskflow-corp/cli@0.1.28 pkg:npm/@taskflow-corp/cli@0.1.29 pkg:npm/@tolka/cli@1.0.2 pkg:npm/@tolka/cli@1.0.3 pkg:npm/@tolka/cli@1.0.4 pkg:npm/@tolka/cli@1.0.5 pkg:npm/@tolka/cli@1.0.6 pkg:npm/@uipath/access-policy-sdk@0.3.1 pkg:npm/@uipath/access-policy-tool@0.3.1 pkg:npm/@uipath/admin-tool@0.1.1 pkg:npm/@uipath/agent-sdk@1.0.2 pkg:npm/@uipath/agent-tool@1.0.1 pkg:npm/@uipath/agent.sdk@0.0.18 pkg:npm/@uipath/aops-policy-tool@0.3.1 pkg:npm/@uipath/ap-chat@1.5.7 pkg:npm/@uipath/api-workflow-tool@1.0.1 pkg:npm/@uipath/apollo-core@5.9.2 pkg:npm/@uipath/apollo-react@4.24.5 pkg:npm/@uipath/apollo-wind@2.16.2 pkg:npm/@uipath/auth@1.0.1 pkg:npm/@uipath/case-tool@1.0.1 pkg:npm/@uipath/cli@1.0.1 pkg:npm/@uipath/codedagent-tool@1.0.1 pkg:npm/@uipath/codedagents-tool@0.1.12 pkg:npm/@uipath/codedapp-tool@1.0.1 pkg:npm/@uipath/common@1.0.1 pkg:npm/@uipath/context-grounding-tool@0.1.1 pkg:npm/@uipath/data-fabric-tool@1.0.2 pkg:npm/@uipath/docsai-tool@1.0.1 pkg:npm/@uipath/filesystem@1.0.1 pkg:npm/@uipath/flow-tool@1.0.2 pkg:npm/@uipath/functions-tool@1.0.1 pkg:npm/@uipath/gov-tool@0.3.1 pkg:npm/@uipath/identity-tool@0.1.1 pkg:npm/@uipath/insights-sdk@1.0.1 pkg:npm/@uipath/insights-tool@1.0.1 pkg:npm/@uipath/integrationservice-sdk@1.0.2 pkg:npm/@uipath/integrationservice-tool@1.0.2 pkg:npm/@uipath/llmgw-tool@1.0.1 pkg:npm/@uipath/maestro-sdk@1.0.1 pkg:npm/@uipath/maestro-tool@1.0.1 pkg:npm/@uipath/orchestrator-tool@1.0.1 pkg:npm/@uipath/packager-tool-apiworkflow@0.0.19 pkg:npm/@uipath/packager-tool-bpmn@0.0.9 pkg:npm/@uipath/packager-tool-case@0.0.9 pkg:npm/@uipath/packager-tool-connector@0.0.19 pkg:npm/@uipath/packager-tool-flow@0.0.19 pkg:npm/@uipath/packager-tool-functions@0.1.1 pkg:npm/@uipath/packager-tool-webapp@1.0.6 pkg:npm/@uipath/packager-tool-workflowcompiler@0.0.16 pkg:npm/@uipath/packager-tool-workflowcompiler-browser@0.0.34 pkg:npm/@uipath/platform-tool@1.0.1 pkg:npm/@uipath/project-packager@1.1.16 pkg:npm/@uipath/resource-tool@1.0.1 pkg:npm/@uipath/resourcecatalog-tool@0.1.1 pkg:npm/@uipath/resources-tool@0.1.11 pkg:npm/@uipath/robot@1.3.4 pkg:npm/@uipath/rpa-legacy-tool@1.0.1 pkg:npm/@uipath/rpa-tool@0.9.5 pkg:npm/@uipath/solution-packager@0.0.35 pkg:npm/@uipath/solution-tool@1.0.1 pkg:npm/@uipath/solutionpackager-sdk@1.0.11 pkg:npm/@uipath/solutionpackager-tool-core@0.0.34 pkg:npm/@uipath/tasks-tool@1.0.1 pkg:npm/@uipath/telemetry@0.0.7 pkg:npm/@uipath/test-manager-tool@1.0.2 pkg:npm/@uipath/tool-workflowcompiler@0.0.12 pkg:npm/@uipath/traces-tool@1.0.1 pkg:npm/@uipath/ui-widgets-multi-file-upload@1.0.1 pkg:npm/@uipath/uipath-python-bridge@1.0.1 pkg:npm/@uipath/vertical-solutions-tool@1.0.1 pkg:npm/@uipath/vss@0.1.6 pkg:npm/@uipath/widget.sdk@1.2.3 pkg:npm/agentwork-cli@0.1.4 pkg:npm/agentwork-cli@0.1.5 pkg:npm/cmux-agent-mcp@0.1.3 pkg:npm/cmux-agent-mcp@0.1.4 pkg:npm/cmux-agent-mcp@0.1.5 pkg:npm/cmux-agent-mcp@0.1.6 pkg:npm/cmux-agent-mcp@0.1.7 pkg:npm/cmux-agent-mcp@0.1.8 pkg:npm/cross-stitch@1.1.3 pkg:npm/cross-stitch@1.1.4 pkg:npm/cross-stitch@1.1.5 pkg:npm/cross-stitch@1.1.6 pkg:npm/cross-stitch@1.1.7 pkg:npm/git-branch-selector@1.3.3 pkg:npm/git-branch-selector@1.3.4 pkg:npm/git-branch-selector@1.3.5 pkg:npm/git-branch-selector@1.3.6 pkg:npm/git-branch-selector@1.3.7 pkg:npm/git-git-git@1.0.10 pkg:npm/git-git-git@1.0.11 pkg:npm/git-git-git@1.0.12 pkg:npm/git-git-git@1.0.8 pkg:npm/git-git-git@1.0.9 pkg:npm/ml-toolkit-ts@1.0.4 pkg:npm/ml-toolkit-ts@1.0.5 pkg:npm/nextmove-mcp@0.1.3 pkg:npm/nextmove-mcp@0.1.4 pkg:npm/nextmove-mcp@0.1.5 pkg:npm/nextmove-mcp@0.1.6 pkg:npm/nextmove-mcp@0.1.7 pkg:npm/safe-action@0.8.3 pkg:npm/safe-action@0.8.4 pkg:npm/ts-dna@3.0.1 pkg:npm/ts-dna@3.0.2 pkg:npm/ts-dna@3.0.3 pkg:npm/ts-dna@3.0.4 pkg:npm/ts-dna@3.0.5 pkg:npm/wot-api@0.8.1 pkg:npm/wot-api@0.8.2 pkg:npm/wot-api@0.8.3 pkg:npm/wot-api@0.8.4 pkg:npm/wot-api@0.8.5 pkg:pypi/guardrails-ai@0.10.1 pkg:pypi/mistralai@2.4.6

May 12, 2026

AI Coding Tools Are Creating a Security Gap We Must Close Immediately

Read More
Natalie Tischler

Natalie Tischler

May 8, 2026

The AI Inflection Point That Will Redefine Software Trust

Read More
Brian Roche

Brian Roche

May 7, 2026

The $10 Million Question: Why Are 81% of Organizations Still Getting Breached?

Read More
Natalie Tischler

Natalie Tischler

Veracode Threat Research

By Veracode Threat Research