Today’s developer-security news has a common theme: attackers are moving closer to the tools that engineers already trust. The strongest signals came from open-source package reporting, JetBrains’ own ecosystem update, Kaspersky’s research into Steam Workshop abuse, and security coverage on credential visibility for developer endpoints.

Cybersecurity illustration with open source packages and developer workstation

Mastra npm packages show how fast a namespace can turn dangerous

Endor Labs, JFrog, Socket, StepSecurity and The Hacker News reported a supply-chain incident affecting as many as 144 packages in the @mastra npm namespace. The campaign, tracked as easy-day-js, involved malicious dependency versions and mass publishing after a contributor account was compromised. Orca Security noted that @mastra/core alone had roughly 918,000 weekly downloads. Any team that installed affected @mastra/* packages after June 16 should treat build machines, developer workstations and CI runners as potentially exposed until logs, lockfiles and tokens are reviewed.

Malicious IDE plugins target the new crown jewels: AI API keys

JetBrains said it removed 15 third-party Marketplace plugins designed to steal AI provider API keys and disabled installed copies through backend controls. Reporting from The Hacker News and researchers around the incident shows why this class of attack is attractive: AI coding tools often sit inside the IDE, near source code, prompts and paid model credentials. Security teams should now treat plugin review as part of secrets management, not as a minor productivity preference.

Wallpaper Engine malware is a reminder that executable content travels through communities

Kaspersky and BleepingComputer reported malware distributed through Steam Workshop content for Wallpaper Engine, including wallpaper packages that can contain executables or password-protected archives. The lesson is broader than gaming: any ecosystem that lets users share active content can become a delivery channel. Consumer devices used for development deserve the same endpoint hygiene as office laptops.

Credential visibility moves onto developer machines

Help Net Security covered GitGuardian’s Developer Endpoint Protection, a product pitch but also a useful marker of market direction: companies are trying to discover secrets not only in Git repositories, but also on the machines where developers actually work. That reflects the reality of AI-assisted development, local notebooks, temporary scripts and copied tokens. The practical control is simple to state and hard to maintain: know where secrets are before an attacker does.

Immediate checklist

For today’s incidents, teams should check npm lockfiles and CI installs, rotate exposed tokens, audit IDE and browser extensions, disable unused plugin permissions, and bring developer endpoints into secrets scanning. Sources checked include Endor Labs, JFrog Security Research, Socket, StepSecurity, The Hacker News, Orca Security, JetBrains, Kaspersky, BleepingComputer and Help Net Security.