#open-source-security

[ follow ]
#software-supply-chain #bug-bounty #python #npm #claude-opus-46 #curl #ai-generated-reports #cpython
Artificial intelligence
fromArs Technica
1 week ago

After a routine code rejection, an AI agent published a hit piece on someone by name

Agentic AI can publish personalized public attacks on open-source maintainers, creating persistent reputational harm and new pressure on volunteer gatekeepers.
Artificial intelligence
fromInfoWorld
2 weeks ago

Claude AI finds 500 high-severity software vulnerabilities

Claude Opus 4.6 uncovered 500 high-severity zero-day vulnerabilities in open-source projects while running in a VM with standard analysis tools and no guidance.
fromAxios
2 weeks ago

Anthropic's newest AI model uncovered 500 zero-day software flaws in testing

Before its debut, Anthropic's frontier red team tested Opus 4.6 in a sandboxed environment to see how well it could find bugs in open-source code. The team gave the Claude model everything it needed to do the job - access to Python and vulnerability analysis tools, including classic debuggers and fuzzers - but no specific instructions or specialized knowledge. Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities,
Information security
#curl
more#curl
#python
more#python
Information security
fromArs Technica
1 month ago

Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025

Supply-chain attacks surged in 2024–2025, allowing attackers to compromise single targets and infect thousands or millions of downstream users, causing widespread theft and outages.
#bug-bounty
more#bug-bounty
#npm
fromInfoWorld
2 months ago
Information security

A proactive defense against npm supply chain attacks

Widespread reliance on npm packages creates persistent, large-scale security risk as malicious packages can compromise thousands of downstream applications.
fromCyberScoop
5 months ago
Information security

The npm incident frightened everyone, but ended up being nothing to fret about

A social-engineering compromise of an npm maintainer briefly poisoned 18 popular packages, but quick detection and response limited the supply-chain attack’s impact and damage.
more#npm
#codemender
more#codemender
Software development
fromTheregister
4 months ago

Curl project, swamped with AI slop, finds not all AI is bad

Human-guided AI code analysis can find valid bugs and improve open-source projects despite widespread low-quality AI-generated reports.
Information security
fromTheregister
4 months ago

Socket will block it with free malicious package firewall

Socket released Socket Firewall Free, a free CLI that blocks malicious dependencies at install time across npm, yarn, pnpm, pip, uv, and cargo.
fromTheregister
4 months ago

Google's dev registration plan 'will end the F-Droid project

"The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot 'take over' the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications," he said. "If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open source app distribution sources as we know them today," said Prud'hommeaux.
Tech industry
#software-supply-chain
more#software-supply-chain
Information security
fromInfoQ
5 months ago

Google Veles is a New Open-source Secret Scanner Powering GCP

Google released Veles, an open-source secret scanner that detects exposed credentials across artifacts and integrates with OSV-SCALIBR and Google Cloud security products.
Privacy professionals
fromInfoQ
10 months ago

Implement the EU Cyber Resilience Act's Requirements to Strengthen Your Software Project

The European Cyber Resilience Act is a significant development aimed at enhancing cybersecurity across the continent.
[ Load more ]