JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
Attackers can inject indirect prompts in normal-looking repositories to trick Claude Code into spawning a reverse shell.
Google introduced the new hand-wave reCAPTCHA because AI bots can solve regular puzzles. Turns out, this one can be bypassed ...