A recent supply chain attack has compromised over 40 npm packages, employing a method to inject malicious scripts that steal developer credentials. The attackers utilize a legitimate secret scanning tool, TruffleHog, to access sensitive information, subsequently exfiltrating it to external servers. Additionally, a phishing campaign targeting crates.io users has emerged, with deceptive emails urging recipients to rotate login information, falsely claiming a compromise of the platform’s infrastructure. This series of incidents highlights the escalating threats in software supply chains, necessitating heightened vigilance and security measures within the developer community to safeguard sensitive data from exploitation.