The hacking group TeamPCP has launched a widespread supply chain campaign, expanding from a Trivy vulnerability scanner compromise to target Docker Hub, NPM, VS Code, and PyPI. By exploiting GitHub Action tokens to distribute info-stealing malware, the threat actor is likely collaborating with Lapsus$ to steal developer credentials and cloud tokens. Read the full story at SecurityWeek.

An accidental leak of over 512,000 lines of Anthropic's proprietary Claude Code source code has exposed a critical, unauthenticated remote code execution (RCE) vulnerability. Discovered by Adversa AI within days of the March 31, 2026, leak, this flaw poses significant supply chain risks and allows for potential malicious exploitation of developer tools. For more details, visit SecurityWeek.

The widely used Axios npm package was compromised in a supply chain attack by North Korean-linked actors, who hijacked a maintainer's account to publish malicious versions 1.14.1 and 0.30.4. These versions, active for three hours on March 31, 2026, introduced a "phantom dependency" that installed the WAVESHAPER.V2 remote access trojan on developer systems. Users are advised to immediately audit lockfiles and rotate developer credentials. Read the full story at SecurityWeek.

BeyondTrust Phantom Labs researchers identified a critical command injection vulnerability in OpenAI’s Codex cloud environment, allowing for the potential theft of sensitive GitHub User Access Tokens. By exploiting improper input sanitization in the branch name parameter, attackers could execute arbitrary commands and exfiltrate credentials, a flaw OpenAI has since remediated. Read the full story at BeyondTrust.

The JavaScript ecosystem faced a significant threat this week as the ubiquitous axios package was compromised. Read Updated Dev’s deep dive into the axios story

TypeScript 6.0 has officially launched, marking the final major release built on a JavaScript codebase. As detailed by the TypeScript team, this version serves as a functional bridge to TypeScript 7.0, which is being rewritten in Go to leverage native performance and multi-threading for dramatically faster builds.

A high-profile petition is currently circulating within the Node.js community calling for a ban on AI-generated code in the project’s core internals. The debate was sparked by a massive 19,000-line pull request that utilized AI tools, raising concerns among contributors about long-term maintainability and the "dilution" of hand-written code.

The Temporal API has reached a major milestone, with built-in types now included in TypeScript 6.0 and implementation progress in major browsers, finally providing a modern solution for JavaScript date and time handling.

In the ecosystem, Eleventy has officially rebranded to Build Awesome following its acquisition by Font Awesome. Recent releases also include

Vite 8.0, which introduces a major architectural shift by replacing the dual-bundler system with Rolldown, a Rust-based bundler that delivers 10–30x faster production builds. This update unifies development and production environments for better consistency and adds features like native TypeScript path resolution, integrated devtools, and browser console forwarding to the terminal.

Continue to read our AI Roundup & Tips on Securing from Supply Chain Attacks!

AI roundup

The AI landscape faced a significant security test this week as Anthropic accidentally leaked approximately 512,000 lines of source code for its agentic coding tool, Claude Code, via a misconfigured npm package. Almost immediately, researchers at Adversa AI identified a critical vulnerability within the leaked code: the tool’s security "deny rules" are automatically bypassed if it is presented with more than 50 subcommands. In such cases, the system defaults to a simple "ask" prompt, allowing potentially malicious actions, like credential exfiltration via curl, to execute if the user provides a routine authorization.

Google has officially launched the Gemma 4 family of open models, emphasizing high-performance, local-first AI. These models feature advanced reasoning, native multimodality (processing text, audio, and video), and "agentic" capabilities like function-calling. Specifically, the Effective 2B and 4B variants are optimized for mobile and edge devices, boasting "near-zero latency" and high power efficiency, allowing developers to build autonomous, offline AI assistants directly on consumer hardware.

Google has expanded access to the 2 million token context window for Gemini 1.5 Pro on Vertex AI. This update allows enterprises to ingest large datasets within a single prompt, reducing reliance on retrieval-augmented generation (RAG) for complex data analysis.

The past week has felt like a collision between rapid innovation and security reality. We are seeing a "tug-of-war" where AI tools are shipping at breakneck speeds as seen with Vite 8 and Gemma 4 only to be immediately met by sophisticated supply chain attacks like the Axios breach.

For frontend developers, the "signal" is clear: the era of "JavaScript-only" infrastructure is ending. With TypeScript 7.0 moving to Go, Vite adopting Rolldown, and the Temporal API finally fixing dates, the web platform is becoming more native, more performant, and significantly more complex to secure.

-Mariam

Updated Dev