Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps

Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into ...

Wikipedia blacklists website that hijacked users’ computers to run hacking attack

Wikipedia has banned Archive.today after discovering it launched a DDoS attack on a blogger by embedding malicious JavaScript ...
Ars Technica

384,000 sites pull code from sketchy code library recently bought by Chinese firm

More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said. For years, the JavaScript ...
SecurityWeek

VS Code Configs Expose GitHub Codespaces to Attacks

Attackers can abuse VS Code configuration files for RCE when a GitHub Codespaces user opens a repository or pull request.
adtmag.com

The Worm That Ate JavaScript: Inside the Shai-Hulud Supply Chain Attack

The notification arrived on September 14, 2025, at 17:58 UTC. Somewhere in the sprawling npm registry—home to 2.5 million JavaScript packages that power everything from banking apps to smart ...