#open-source-security

[ follow ]
#software-supply-chain #supply-chain-security #supply-chain-attack #bug-bounty #python #npm
fromArs Technica
2 days ago

Mozilla: Anthropic's Mythos found 271 zero-day vulnerabilities in Firefox 150

Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable.
Information security
#software-supply-chain
fromTheregister
7 months ago
Information security

Nx NPM packages poisoned in AI-assisted supply chain attack

Compromised Nx NPM packages contained malware that stole developer credentials and exposed them via public GitHub repositories.
fromNextgov.com
7 months ago
Information security

Report: Russia-based Yandex employee oversees open-source software approved for DOD use

A Russia-based Yandex employee is sole maintainer of fast-glob, a widely used open-source package embedded in Department of Defense software, posing supply-chain risk.
Information security
fromDevOps.com
6 days ago

The Open Source Trap: Why Trust Isn't a Security Strategy - DevOps.com

The software supply chain is vulnerable due to reliance on under-resourced open source maintainers, requiring active organizational support for security.
more#software-supply-chain
Web frameworks
fromInfoQ
1 week ago

Empower Your Developers: How Open Source Dependencies Risk Management Can Unlock Innovation

Improving security in open-source dependencies is essential for effective risk management and innovation.
#ai-generated-vulnerabilities
fromTechzine Global
1 month ago
Information security

Linux Foundation Receives $12.5 Million for Open Source Security

The Linux Foundation receives $12.5 million in grants from major tech companies to address security challenges in open source software caused by AI-generated vulnerability reports overwhelming maintainers.
fromTheregister
1 month ago
Software development

Linux Foundation wants to shield FOSS devs from AI bug slop

Six major tech companies are funding a $12.5 million Linux Foundation initiative to help open source maintainers manage the surge of AI-generated vulnerability reports.
Information security
fromTechzine Global
1 month ago

Linux Foundation Receives $12.5 Million for Open Source Security

The Linux Foundation receives $12.5 million in grants from major tech companies to address security challenges in open source software caused by AI-generated vulnerability reports overwhelming maintainers.
Software development
fromTheregister
1 month ago

Linux Foundation wants to shield FOSS devs from AI bug slop

Six major tech companies are funding a $12.5 million Linux Foundation initiative to help open source maintainers manage the surge of AI-generated vulnerability reports.
more#ai-generated-vulnerabilities
#supply-chain-attacks
fromBleepingComputer
1 month ago
Information security

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

GlassWorm supply-chain campaign compromised 433 components across GitHub, npm, and VSCode/OpenVSX, using a single Solana blockchain address for command-and-control across coordinated attacks targeting cryptocurrency wallets and developer credentials.
fromTheregister
6 months ago
Information security

Socket will block it with free malicious package firewall

Socket released Socket Firewall Free, a free CLI that blocks malicious dependencies at install time across npm, yarn, pnpm, pip, uv, and cargo.
Information security
fromBleepingComputer
1 month ago

GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX

GlassWorm supply-chain campaign compromised 433 components across GitHub, npm, and VSCode/OpenVSX, using a single Solana blockchain address for command-and-control across coordinated attacks targeting cryptocurrency wallets and developer credentials.
more#supply-chain-attacks
Information security
fromSecurityWeek
1 month ago

Tech Giants Invest $12.5 Million in Open Source Security

The Linux Foundation received $12.5 million in grants from major tech companies to advance open source security through AI-powered solutions and maintainer support.
#supply-chain-attack
fromMedium
1 month ago
Web frameworks

My 8-Year-Old Open-Source Project was a Victim of a Major Cyber Attack

fromMedium
1 month ago
Web frameworks

My 8-Year-Old Open-Source Project was a Victim of a Major Cyber Attack

more#supply-chain-attack
Software development
fromTechCrunch
1 month ago

Anthropic's Claude found 22 vulnerabilities in Firefox over two weeks | TechCrunch

Anthropic discovered 22 vulnerabilities in Firefox using Claude Opus 4.6, with 14 classified as high-severity, most fixed in Firefox 148.
Artificial intelligence
fromArs Technica
2 months ago

After a routine code rejection, an AI agent published a hit piece on someone by name

Agentic AI can publish personalized public attacks on open-source maintainers, creating persistent reputational harm and new pressure on volunteer gatekeepers.
Artificial intelligence
fromInfoWorld
2 months ago

Claude AI finds 500 high-severity software vulnerabilities

Claude Opus 4.6 uncovered 500 high-severity zero-day vulnerabilities in open-source projects while running in a VM with standard analysis tools and no guidance.
fromAxios
2 months ago

Anthropic's newest AI model uncovered 500 zero-day software flaws in testing

Before its debut, Anthropic's frontier red team tested Opus 4.6 in a sandboxed environment to see how well it could find bugs in open-source code. The team gave the Claude model everything it needed to do the job - access to Python and vulnerability analysis tools, including classic debuggers and fuzzers - but no specific instructions or specialized knowledge. Claude found more than 500 previously unknown zero-day vulnerabilities in open-source code using just its "out-of-the-box" capabilities,
Information security
#curl
more#curl
#python
more#python
#bug-bounty
more#bug-bounty
#npm
more#npm
#codemender
more#codemender
Software development
fromTheregister
6 months ago

Curl project, swamped with AI slop, finds not all AI is bad

Human-guided AI code analysis can find valid bugs and improve open-source projects despite widespread low-quality AI-generated reports.
fromTheregister
6 months ago

Google's dev registration plan 'will end the F-Droid project

"The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot 'take over' the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications," he said. "If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open source app distribution sources as we know them today," said Prud'hommeaux.
Tech industry
Information security
fromInfoQ
7 months ago

Google Veles is a New Open-source Secret Scanner Powering GCP

Google released Veles, an open-source secret scanner that detects exposed credentials across artifacts and integrates with OSV-SCALIBR and Google Cloud security products.
Privacy professionals
fromInfoQ
1 year ago

Implement the EU Cyber Resilience Act's Requirements to Strengthen Your Software Project

The European Cyber Resilience Act is a significant development aimed at enhancing cybersecurity across the continent.
[ Load more ]