PyTorch reveals malicious dependency chain compromise between Dec 25th & 30th.

The counterfeit 'tortchtrion' stole SSH keys, first 1000 files in $HOME, .gitconfig and other secrets.

2,300+ downloads seen so far on PyPI.

Uninstall now 👇👇👇
bleepingcomputer.com/news/security/… #opensource Unsurprisingly, the hacker behind the package—that steals all these secrets, claims that they are only collecting "metadata" and wrongly implying this is ethical research. Analysis strongly indicates otherwise.

In 🆕 BBC documentary, Victims of Ukraine War Scammers, @Hannah_Gelbart and I investigate FAKE crypto donation scams capitalizing on the ongoing war to snatch funds away from charities and into their pockets. 💰

Props to @SoyaInk & BBC crew for a brilliant production! And it doesn't stop at just threat actors stealing thousands of dollars in donations from unsuspecting donors.
We come across real people's identities being stolen.
Dr. @MiguelHibert's identity and pics being abused by an 'Aronov Maxim'—but reverse image search reveals the truth.

Russia-based dev Yaffle altered 'event-source-polyfill' #npm package in March to show anti-war messages to Russians, as a a peaceful protest.

This marks the THIRD major #opensource self-sabotage of 2022: npm package is downloaded 600K weekly and used by 135,000+ GitHub repos. After printing the Russian language, the package opens up the user's web browser and directs them to a Change[.]org petition, 'NetVoyne' — signed by over 1.2 million people already.