Security news aggregator

Latest coverage for Package Manager

Package managers install and update software dependencies, making package integrity and verification important to prevent malicious code and vulnerabilities.

14 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Package managers are tools that install, update, configure, and remove software packages and their dependencies. They typically obtain packages from configured repositories, resolve compatible versions, and maintain an inventory of installed components. This makes them a central control point for both software delivery and patching.

Security depends on the trustworthiness of repositories, packages, and dependency metadata. Repository compromise, malicious or typosquatted packages, maintainer-account takeover, and vulnerable transitive dependencies can introduce unwanted code; installation scripts may also run with the user’s privileges. Signature verification and transport security help protect authenticity and delivery, while checksums primarily detect alteration. Organizations should restrict repository sources, review package provenance, use lockfiles or version pinning where appropriate, and continuously inventory dependencies so vulnerability fixes can be prioritized without blindly accepting unsafe updates.

Volume over time

Weekly headline count for the current query.

Showing 14 most recent headlines Filtered view

RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems