Blog - Lupin & Holmes

What's up?

Fresh

npx Used Confusion and It’s Super Effective illustration

May 21, 2026npx Confusion, Dependency Confusion, Supply Chain Attack, npm, Bug Bounty, AI Agents

npx Used Confusion and It’s Super Effective

node-ipc Compromised: A Dormant Maintainer, an Expired Domain, and What We Think Happened illustration

May 14, 2026Supply Chain Attack, node-ipc, Email Takeover, npm, DNS Tunneling, Depi

node-ipc Compromised: A Dormant Maintainer, an Expired Domain, and What We Think Happened

TanStack Compromised: Inside the GitHub Actions Cache Poisoning That Hit the npm Ecosystem illustration

May 11, 2026Supply Chain Attack, TanStack, GitHub Actions, Cache Poisoning, npm, Depi

TanStack Compromised: Inside the GitHub Actions Cache Poisoning That Hit the npm Ecosystem

Again...

npx Used Confusion and It’s Super Effective illustration

npx Used Confusion and It’s Super Effective

node-ipc Compromised: A Dormant Maintainer, an Expired Domain, and What We Think Happened illustration

node-ipc Compromised: A Dormant Maintainer, an Expired Domain, and What We Think Happened

TanStack Compromised: Inside the GitHub Actions Cache Poisoning That Hit the npm Ecosystem illustration

TanStack Compromised: Inside the GitHub Actions Cache Poisoning That Hit the npm Ecosystem

First Week, First Hack: Compromising a Package with 40 Million Weekly Downloads illustration

First Week, First Hack: Compromising a Package with 40 Million Weekly Downloads

How Ledger Donjon Used Depi to Neutralize a Stealth Supply Chain Threat illustration

How Ledger Donjon Used Depi to Neutralize a Stealth Supply Chain Threat

One Label Away from Backdooring 80 million installations per week illustration

One Label Away from Backdooring 80 million installations per week

We Hacked the npm Supply Chain of 36 Million Weekly Installs illustration

We Hacked the npm Supply Chain of 36 Million Weekly Installs

Depi is Now Available on AWS Marketplace ! illustration

Depi is Now Available on AWS Marketplace !

Netflix Vulnerability: Dependency Confusion in Action illustration

Netflix Vulnerability: Dependency Confusion in Action

We hacked Google’s A.I Gemini and leaked its source code (at least some part) illustration

We hacked Google’s A.I Gemini and leaked its source code (at least some part)

Depi Launch: A New Approach to Software Supply Chain Security illustration

Depi Launch: A New Approach to Software Supply Chain Security

How We Hacked a Software Supply Chain for $50K illustration

How We Hacked a Software Supply Chain for $50K