Attackers pulled off a coordinated supply chain compromise that poisoned 34 packages across the three largest software repositories. The malicious packages span npm, PyPI, and Crates, meaning developers working in JavaScript, Python, and Rust ecosystems are all in the blast radius. Many teams pull these libraries into builds without auditing the contents, which lets hostile code slip quietly into production environments. The incident is another reminder of how fragile open-source supply chains remain, particularly for projects that auto-update dependencies without pinning versions or verifying signatures. Link: Read more