OSS Funded Open source funding news, grants, sponsorships, and deal flow.
Published May 27, 2026 · Added May 30, 2026

Supply chain brain drain: npm attacker foolishly leaks own GitHub private token

The Register reports on a malicious npm package aimed at Claude users that imitated AI tooling, pulled in npm-slop dependencies, and accidentally exposed the attacker's GitHub token, highlighting AI-tooling supply-chain risk in the open source package ecosystem.

The Register reports on a malicious npm package aimed at Claude users that imitated AI tooling, pulled in npm-slop dependencies, and accidentally exposed the attacker’s GitHub token, highlighting AI-tooling supply-chain risk in the open source package ecosystem.

Read the original story.

Source: The Register