A wave of supply chain security incidents dominates this week's security roundup. The Axios NPM package (100M weekly downloads) was compromised via a phishing attack on its lead developer, resulting in a malicious dependency that installed a remote access trojan on Windows, macOS, and Linux. Separately, Cisco suffered source code and AWS key theft linked to the Trivy GitHub Actions compromise, while a ransomware group claims additional Cisco and Salesforce data. GitHub is accelerating its security roadmap in response, recommending pinned commit hashes for actions, OIDC adoption, and introducing immutable releases. Other stories include AI-discovered vulnerabilities in Vim and Emacs, a Gigabyte Control Center arbitrary file write flaw (CVE-2026-4415), multiple Apache web server CVEs, and Node.js suspending its bug bounty program due to funding cuts.
Table of contents
A Good Day for AIBad Days for Cisco and SalesforceGigabtye VulnerabilitySecuring GitHub ActionsApache Vuls hit macOS, OthersNode.JS Bounty Program PausedSort: