Microsoft Warns Crypto Wallets Face New npm Trojan Risk
Microsoft warns two npm packages deploy a RAT that steals crypto wallet credentials, screenshots and keystrokes via Hugging Face.
InfoWorld AI·
A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project’s public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an external server. “AI developer tooling is becoming a high-value target precisely because the tokens are powerful and long-lived,” Aikido said. “A stolen Codex refresh_token goes beyond access to a chat interface — it’s persistent, silent access to whatever that account can do.” Aikido said the incident reflected a broader pattern in which attackers build credible and useful projects as cover for malicious activity. “The legitimacy is the attack vector,” Aikido said. “As AI tools proliferate and developers reach for productivity shortcuts, expect more of this.” The case exposes what some secur
Read full articleMicrosoft warns two npm packages deploy a RAT that steals crypto wallet credentials, screenshots and keystrokes via Hugging Face.
The second post from Build Club, our weekly live build session. A companion GitHub repo can be found here. Your inbox is not the problem. The problem is that you are the person other people are waiting on. Some of those messages need you specifically. Most of them need an answer you have already given... The post Build a digital twin agent (with guardrails) appeared first on DataRobot.
Explore 10 top open-source GitHub repositories for modern databases, analytics, SQL, caching, monitoring, replication, PostgreSQL, SQLite, and AI agent memory.
AI-driven coding surge could boost productivity and innovation but raises concerns about code quality, security, and review process adequacy. The post Nvidia CEO Jensen Huang says AI-generated commits on GitHub tripled to 1.4B in 2026 appeared first on Crypto Briefing.
Microsoft is heading to San Francisco this week in a bid to win back developers at its Build conference. I've been attending Build since the days when Microsoft called it the Professional Developers Conference, and I can't remember a more pivotal moment. As Microsoft continues to reshuffle its entire business around AI, it's moving Build into a smaller, more intimate venue. Trust in Windows and GitHub is at an all-time low, and this is Microsoft's chance to reconnect with developers and outline the future. Sources tell me that we'll hear about new AI models in Windows, a new reasoning model from Microsoft AI, and a Copilot "super app." But … Read the full story at The Verge.
Mitchell Hashimoto wants you to stop updating your dependencies, which, from a historical context, is certifiably insane. In fact, in the wake of Mythos and the potential to make zero-day exploits common, it still may sound insane. Yet after the spring npm just had, Hashimoto’s counsel may actually sound less like heresy and more like control. His rule? Fork your dependencies, trim them to what you actually use, and don’t update unless something breaks for your users. In Hashimoto’s view, you don’t update just because GitHub’s Dependabot opened a pull request or even because there’s a newer (presumably more secure) version. If you do update, the work of understanding every relevant commit in the transitive tree is yours, not the maintainer’s. In an industry trained to equate “latest” with “secure,” this sounds reckless, until you look at what happened this spring. In two of the year’s worst npm attacks, many of the people most exposed were the ones pulling fresh versions. When the axio
Solana co-founder Anatoly Yakovenko has called for another attempt to accelerate SOL disinflation, after a new GitHub discussion proposed improving Solana’s tokenomics through a resource-based base fee that would be fully burned. The debate puts SOL issuance, fee burn mechanics and validator economics back at the center of Solana governance after last year’s failed SIMD-0228 […]
Personal agents are exploding in popularity, with open source projects like OpenClaw and Hermes seeing rapid adoption by AI developer communities on GitHub. Built to adapt to individual preferences and workflows, these agents can interact with applications, generate content, automate repetitive processes and manage multi-step tasks — all while running locally on device. Today at […]