#open-source-security

[ follow ]
#software-supply-chain #supply-chain-attacks #supply-chain-security #supply-chain-attack #bug-bounty #python
#supply-chain-attacks
Information security
fromTechCrunch
4 hours ago

OpenAI says hackers stole some data after latest code security issue | TechCrunch

Hackers injected malicious updates into open source TanStack, compromising OpenAI employee devices and stealing limited credentials while not accessing user data or altering production systems.
fromDevOps.com
3 days ago
Information security

How Open Source Dependency and Repo Attacks Compromise DevOps Pipelines and How to Stay Safe - DevOps.com

fromBleepingComputer
1 month ago
Information security

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

GlassWorm supply-chain campaign compromised 433 components across GitHub, npm, and VSCode/OpenVSX, using a single Solana blockchain address for command-and-control across coordinated attacks targeting cryptocurrency wallets and developer credentials.
fromTheregister
7 months ago
Information security

Socket will block it with free malicious package firewall

Socket released Socket Firewall Free, a free CLI that blocks malicious dependencies at install time across npm, yarn, pnpm, pip, uv, and cargo.
Information security
fromTechCrunch
4 hours ago

OpenAI says hackers stole some data after latest code security issue | TechCrunch

Hackers injected malicious updates into open source TanStack, compromising OpenAI employee devices and stealing limited credentials while not accessing user data or altering production systems.
Information security
fromDevOps.com
3 days ago

How Open Source Dependency and Repo Attacks Compromise DevOps Pipelines and How to Stay Safe - DevOps.com

Open source repositories are continuously targeted, and supply-chain attacks exploit weak dependency governance and insecure development practices to compromise many systems at once.
Information security
fromBleepingComputer
1 month ago

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

GlassWorm supply-chain campaign compromised 433 components across GitHub, npm, and VSCode/OpenVSX, using a single Solana blockchain address for command-and-control across coordinated attacks targeting cryptocurrency wallets and developer credentials.
more#supply-chain-attacks
Information security
fromZDNET
7 hours ago

The third major Linux kernel flaw in two weeks has been found - thanks to AI

Fragnesia is a Linux kernel page-cache corruption flaw that lets unprivileged users gain reliable root access across major distributions.
DevOps
fromDevOps.com
1 day ago

Hacktron Plans to Build AI Platform to Test Code for Vulnerabilities - DevOps.com

Hacktron is building an AI platform that tests every code change for exploitable vulnerabilities and recommends fixes to reduce DevSecOps false positives.
Information security
fromTechRepublic
2 days ago

Google Says Hackers Used AI to Build Zero-Day Exploit

A zero-day exploit with AI assistance targeted 2FA in an open-source web administration tool, but was disrupted before large-scale use.
fromArs Technica
3 weeks ago

Mozilla: Anthropic's Mythos found 271 zero-day vulnerabilities in Firefox 150

Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable.
Information security
#software-supply-chain
Information security
fromDevOps.com
3 weeks ago

The Open Source Trap: Why Trust Isn't a Security Strategy - DevOps.com

The software supply chain is vulnerable due to reliance on under-resourced open source maintainers, requiring active organizational support for security.
more#software-supply-chain
Web frameworks
fromInfoQ
4 weeks ago

Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation

Improving security in open-source dependencies is essential for effective risk management and innovation.
#ai-generated-vulnerabilities
fromTechzine Global
1 month ago
Information security

Linux Foundation Receives $12.5 Million for Open Source Security

The Linux Foundation receives $12.5 million in grants from major tech companies to address security challenges in open source software caused by AI-generated vulnerability reports overwhelming maintainers.
fromTheregister
1 month ago
Software development

Linux Foundation wants to shield FOSS devs from AI bug slop

Six major tech companies are funding a $12.5 million Linux Foundation initiative to help open source maintainers manage the surge of AI-generated vulnerability reports.
Information security
fromTechzine Global
1 month ago

Linux Foundation Receives $12.5 Million for Open Source Security

The Linux Foundation receives $12.5 million in grants from major tech companies to address security challenges in open source software caused by AI-generated vulnerability reports overwhelming maintainers.
Software development
fromTheregister
1 month ago

Linux Foundation wants to shield FOSS devs from AI bug slop

Six major tech companies are funding a $12.5 million Linux Foundation initiative to help open source maintainers manage the surge of AI-generated vulnerability reports.
more#ai-generated-vulnerabilities
Information security
fromSecurityWeek
1 month ago

Tech Giants Invest $12.5 Million in Open Source Security

The Linux Foundation received $12.5 million in grants from major tech companies to advance open source security through AI-powered solutions and maintainer support.
#supply-chain-attack
more#supply-chain-attack
Software development
fromTechCrunch
2 months ago

Anthropic's Claude found 22 vulnerabilities in Firefox over two weeks | TechCrunch

Anthropic discovered 22 vulnerabilities in Firefox using Claude Opus 4.6, with 14 classified as high-severity, most fixed in Firefox 148.
Artificial intelligence
fromArs Technica
2 months ago

After a routine code rejection, an AI agent published a hit piece on someone by name

Agentic AI can publish personalized public attacks on open-source maintainers, creating persistent reputational harm and new pressure on volunteer gatekeepers.
Artificial intelligence
fromInfoWorld
3 months ago

Claude AI finds 500 high-severity software vulnerabilities

Claude Opus 4.6 uncovered 500 high-severity zero-day vulnerabilities in open-source projects while running in a VM with standard analysis tools and no guidance.
fromAxios
3 months ago

Anthropic's newest AI model uncovered 500 zero-day software flaws in testing

Before its debut, Anthropic's frontier red team tested Opus 4.6 in a sandboxed environment to see how well it could find bugs in open-source code. The team gave the Claude model everything it needed to do the job - access to Python and vulnerability analysis tools, including classic debuggers and fuzzers - but no specific instructions or specialized knowledge. Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities,
Information security
#curl
more#curl
#python
more#python
#bug-bounty
more#bug-bounty
#npm
more#npm
#codemender
more#codemender
Software development
fromTheregister
7 months ago

Curl project, swamped with AI slop, finds not all AI is bad

Human-guided AI code analysis can find valid bugs and improve open-source projects despite widespread low-quality AI-generated reports.
fromTheregister
7 months ago

Google's dev registration plan 'will end the F-Droid project

"The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot 'take over' the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications," he said. "If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open source app distribution sources as we know them today," said Prud'hommeaux.
Tech industry
Information security
fromInfoQ
8 months ago

Google Veles is a New Open-source Secret Scanner Powering GCP

Google released Veles, an open-source secret scanner that detects exposed credentials across artifacts and integrates with OSV-SCALIBR and Google Cloud security products.
Privacy professionals
fromInfoQ
1 year ago

Implement the EU Cyber Resilience Act's Requirements to Strengthen Your Software Project

The European Cyber Resilience Act is a significant development aimed at enhancing cybersecurity across the continent.
[ Load more ]