25-Year-Old cURL Vulnerability Patched in Record-Breaking Security Release Fixing 18 CVEs
A critical authentication bypass flaw in cURL that had existed undetected for over 25 years has been patched in curl 8.21.0, released June 24, 2026. The release simultaneously...
Supply Chain Attack Compromises 140+ Mastra npm Packages, Targeting Developer Credentials and Crypto Wallets
A sophisticated supply chain attack has compromised over 141 packages in the Mastra-AI npm ecosystem, including @mastra/core which sees 918,000 weekly downloads. Detected on June 17, 2026, the...
Malicious npm Package forge-jsxy Pushes 22 Versions in 22 Days to Steal Crypto Wallets and Deploy Persistent Backdoor
The npm package forge-jsxy quietly stole cryptocurrency wallet keys, browser credentials, and developer data across Windows, macOS, and Linux — publishing 22 malicious versions in 22 days, and...
Five Critical Redis Vulnerabilities Enable Remote Code Execution Across All Editions — Patch Now
Redis has disclosed five high-severity vulnerabilities (CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23631) affecting Redis Cloud, Redis Software, and all open-source community editions. The flaws include use-after-free conditions and memory...
Malicious npm Package js-logger-pack Turns Hugging Face Into Malware CDN and Data Exfiltration Backend
JFrog Security researchers have uncovered a malicious npm package, js-logger-pack, that uses Hugging Face as both a malware delivery network and an exfiltration backend for stolen data. The...