North Korea Hit Axios npm While TeamPCP Burned 1,000 Environments
North Korea's UNC1069 hit Axios npm (183M downloads) while TeamPCP compromised 1,000+ SaaS environments and Lapsus$ claimed 4TB from Mercor AI.
Can Artuc
12.5 Million Downloads a Month. She's Never Seen Her Code on a Screen.
A visually impaired developer in Copenhagen maintains pypandoc, a top 1% Python package with 12.5M monthly downloads used by Adobe, Google, and Microsoft
95 Million Downloads. Poisoned by Its Own Security Scanner.
You never installed LiteLLM. CrewAI did. For 5 hours on March 24, every Python process on your machine was stealing your AWS keys, SSH credentials, and Kubernetes tokens.
Open Source & Linux Weekly - W13_2026
X11 died without a funeral. Canonical bets on post-quantum crypto and Rust. TeamPCP hacks four supply chain targets in ten days. Weekly OSS & Linux roundup.
Mozilla. WordPress. Now Manjaro. Open Source Keeps Dying the Same Way.
He fired the only person watching the money. Made himself treasurer. 2 years later, his own 50/50 business partner signed a public manifesto against him.
Every Line Looked Clean. The Malware Was Hiding in Characters No Editor on Earth Can Render.
You could stare at the infected file for hours and see nothing. The attack hit 200 Python repos, 151 JS/TS repos, 72 VS Code extensions, and 10 npm packages. A researcher traced 50 blockchain transactions spanning three months. Nobody noticed.
A Child Safety Nonprofit Filed Taxes as a Lemonade Stand. Then It Wrote Laws in 20 States.
86 lobbyists. 45 states. $2B in nonprofit grants. One company in the USA. A GitHub researcher pulled IRS filings, WHOIS records, and Senate disclosures.
27 Years, 50 Releases, 1 Breakup: How GNOME 50 Just Changed the Way Your Desktop Works
GNOME and X11 were together for 27 years and 50 releases. GNOME 50 Tokyo ended the relationship. Ubuntu and Fedora ship it next month. Here is who gets hurt.
$10 Trillion in Market Cap. $12.5 Million for Open Source. I Pulled Their Receipts.
Seven companies worth $10 trillion wrote a $12.5M check for open source. I pulled every receipt. The last one involves five million stolen books.
4 Billion Devices Run His Code. He Said He Was Drowning. A Spy Was Already Inside.
One spy. 849 days of fake patches. A burned-out maintainer who just wanted help. A backdoor almost opened every Linux server on Earth.