Kubernetes v1.35 introduces an opt-in feature for CSI drivers to receive service account tokens through a dedicated secrets field instead of the volume context. This change aims to improve security by preventing accidental logging of sensitive tokens and standardizing how they are handled. Drivers can opt-in at their own pace, ensuring backward compatibility.

npm is implementing a staged publishing model to add a review step before packages go live, following a series of supply chain attacks in 2025. This change aims to give maintainers a chance to catch malicious or unintended changes before they are published. The new process requires multi-factor authentication for approval during the staging period.

The Eclipse Foundation revoked some access tokens from its Open VSX project after a report revealed they were exposed in public repositories. This vulnerability could have allowed attackers to manipulate or distribute malicious extensions. New token prefixes and stricter security measures are being implemented to prevent future incidents.

This article outlines recent npm security breaches and provides a checklist for securing npm publish workflows. It emphasizes the importance of using granular npm tokens, 2FA, and trusted publishers to minimize risks from compromised credentials.

Google has warned users of the Salesloft Drift AI chat agent that their security tokens may be compromised following a breach that allowed attackers to access Google Workspace accounts. The situation is more extensive than initially reported, prompting Google to revoke affected tokens and disable integrations, while Salesloft has not yet updated its security guidance to reflect the new findings.

Solana recently addressed a vulnerability that allowed attackers to exploit a bug and steal tokens from users. The platform has implemented a patch to secure its network and prevent further incidents of this nature. Community members are urged to take precautions and monitor their accounts following the attack.