Tag: open-source
-
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Tags: apache, attack, control, cybersecurity, flaw, github, google, microsoft, open-source, supply-chainCybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains.The “critical exploitable pattern” has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and First seen…
-
Open-source security is posing challenges governments can’t easily solve
A diffuse landscape, fruitful targets, companies not stepping up, AI’s influence and flagging U.S. government efforts all figure into a shifting threat. First seen on cyberscoop.com Jump to article: cyberscoop.com/open-source-software-security-crisis/
-
Praxen: Open-source AI agent behavior verification
Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/24/praxen-open-source-ai-agent-behavior-verification/
-
Open Source und moderne Authentifizierung: TeleTrusT-Podcast zur IT-Sicherheit und Digitalen Souveränität
First seen on datensicherheit.de Jump to article: www.datensicherheit.de/open-source-authentifizierung-teletrust-podcast-it-sicherheit
-
DifyTap: Four Bugs Put over 1 million AI Apps at Risk
Four flaws in Dify exposed cross-tenant data, documents and AI conversations. Two critical bugs enabled unauthenticated access and data theft. Zafran Labs researchers disclosed four vulnerabilities in Dify, the open-source AI platform used by major companies like Volvo and Maersk to run over a million applications across over 60 industries. Two vulnerabilities are of critical…
-
DifyTap Flaws Expose AI Data Across Tenants on Platform Powering 1M+ Apps
A series of critical vulnerabilities in the widely used open-source LLMOps platform Dify, which powers over one million AI applications. These vulnerabilities, collectively referred to as “DifyTap,” include four flaws, two rated as critical and two that require no authentication. They expose cross-tenant data leakage risks, allowing attackers to access private AI conversations, preview sensitive…
-
Neue Initiative von OpenAI – ‘Patch the Planet” soll kritische Open-Source-Software stärken
Bei ‘Patch the planet” sollen KI-Sicherheitsanalysen mit menschlicher Expertise kombiniert werden, um Schwachstellen schneller zu erkennen. First seen on computerbase.de Jump to article: www.computerbase.de/news/apps/neue-initiative-von-openai-patch-the-planet-soll-kritische-open-source-software-staerken.98050
-
Neue Initiative von OpenAI – ‘Patch the Planet” soll kritische Open-Source-Software stärken
Bei ‘Patch the planet” sollen KI-Sicherheitsanalysen mit menschlicher Expertise kombiniert werden, um Schwachstellen schneller zu erkennen. First seen on computerbase.de Jump to article: www.computerbase.de/news/apps/neue-initiative-von-openai-patch-the-planet-soll-kritische-open-source-software-staerken.98050
-
Neue Open-Source-Plattform legt Cybercrime-Netzwerke offen
Die neue Plattform Cybercrime Atlas Cosmos kartiert kriminelle Netzwerke, Werkzeuge und Geldflüsse der organisierten Cyberkriminalität. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/open-source-cybercrime-netzwerke
-
Cybercrime Atlas Cosmos: Open-Source-Plattform kartiert das Ökosystem der Cyberkriminalität
Management Summary Eine neue offene Plattform macht Strukturen der Cyberkriminalität sichtbar, indem sie Akteure, Werkzeuge, Marktplätze und Geldflüsse in einem gemeinsamen Wissensgraphen verknüpft. Die Lösung adressiert ein wachsendes wirtschaftliches Risiko: Cyberangriffe verursachen hohe Schäden, betreffen einen Großteil der Unternehmen und werden zunehmend arbeitsteilig organisiert. Für Unternehmen und Behörden entsteht ein praktischer Nutzen durch einheitliche Begriffe,……
-
OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos
Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Plant” initiative to fix open-source software bugs. First seen on wired.com Jump to article: www.wired.com/story/openai-launches-full-scale-effort-to-patch-open-source-bugs-as-it-takes-on-anthropics-mythos/
-
Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers’ applications without requiring authentication.The vulnerabilities have been collectively codenamed DifyTap by Zafran Security. First seen on thehackernews.com Jump to article:…
-
pgAdmin 4 Released with Patches for Seven Vulnerabilities and Feature Enhancements
pgAdmin 4 version 9.16 has been released by the pgAdmin Development Team, introducing significant security improvements along with feature enhancements and bug fixes. This update addresses seven vulnerabilities, tracked as CVE-2026-12044 through CVE-2026-12050, and includes 64 bug fixes and various usability upgrades. As one of the most widely used open-source management tools for PostgreSQL environments,…
-
Agent Beacon: Open-source telemetry layer for AI agents
AI coding agents such as Claude Code, Codex CLI, Cursor, and Claude Cowork run on developer laptops, CI jobs, cloud environments, where they edit files, run commands, and call … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/22/agent-beacon-open-source-telemetry-layer-ai-agents/
-
AutoJack Exploit Chain Hits Microsoft AutoGen Studio With Zero-Click RCE Attack
A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and silently execute arbitrary code on the host machine, requiring no user interaction beyond submitting a URL. AutoJack targets AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent’s built-in web-browsing capabilities…
-
Mastodon 4.6 adds profile Collections and two-factor controls
People who run accounts on the open source social network Mastodon can now group profiles together and share those groups across the web. The 4.6 release centers on a feature … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/19/mastodon-4-6-released/
-
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.The vulnerabilities are listed below – CVE-2026-42530 (CVSS v4 score: 9.2) – A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open…
-
How software development’s speed obsession enabled TeamPCP’s chaos crusade
The threat group’s remarkable success targeting open-source software was inevitable and fueled by the industry’s decision to prioritize code shipping over security. First seen on cyberscoop.com Jump to article: cyberscoop.com/teampcp-breaks-open-source-software-trust-model/
-
145 Mastra npm Packages Compromised via Hijacked Contributor Account
As many as 145 npm packages associated with the Mastra namespace (“@mastra/*”), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, OX Security, SafeDep, Socket, StepSecurity, and Synk.”A single npm account (…
-
A Detailed Guide on Villain C2 Framework
Overview Villain is an open-source command-and-control (C2) framework developed by t3l3machus that turns a single operator console into a full collaborative attack platform. It generates First seen on hackingarticles.in Jump to article: www.hackingarticles.in/a-detailed-guide-on-villain-c2-framework/
-
The Chainguard Athena coalition already shipped 2,000 patches across 500 open source projects
Chainguard launched Athena, an industry coalition that pools open source vulnerability findings and remediates them under embargo before public disclosure. The group went live … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/17/chainguard-athena-coalition-fix-open-source-vulnerabilities/
-
144 Mastra npm Packages Compromised via Hijacked Contributor Account
As many as 144 npm packages associated with the Mastra namespace (“@mastra/*”), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from JFrog, SafeDep, Socket, and StepSecurity.”A single npm account (ehindero) mass-published more First seen on…
-
Microsoft AntiSSRF open-source library helps block server-side request forgery
AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications. It … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/17/microsoft-antissrf-open-source-library/
-
Chainguard, JPMorgan, BNY Team Up to Secure Open Source from AI Threats
Athena is a new an industry coalition to fix the vulnerabilities frontier AI models find before attackers can exploit them First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/chainguard-bny-open-source-athena/
-
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosedLiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface.A server takeover exposes every provider key it…
-
New DPAPISnoop Tool Enables Extraction of CREDHIST Hashes From Windows Systems
A newly enhanced version of the open-source DPAPISnoop tool is drawing attention in the security community after researchers demonstrated its ability to extract offline-crackable hashes from Windows DPAPI credential history (CREDHIST) files, potentially exposing historical password material and enabling deeper insight into user password patterns over time. New DPAPISnoop Tool Developed by Nettitude’s CyberLabs team,…
-
Open-source CI/CD abuse detector guards against stolen credential attacks
CI/CD Abuse Detector is an open-source project that uses a large language model to flag suspicious changes to continuous integration and continuous deployment pipelines, … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/15/ci-cd-abuse-detector-open-source/
-
Week in review: Exploited Check Point VPN zero-day, Oracle PeopleSoft servers under attack
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: DockSec: Open-source AI-powered Docker security scanner DockSec is an OWASP … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/14/week-in-review-exploited-check-point-vpn-zero-day-oracle-peoplesoft-servers-under-attack/
-
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines.Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform.”The attack First…
-
Hackers Use Typosquatted npm Packages to Target Web3 Projects and Crypto Wallet Operators
Hackers have been using typosquatting npm packages to weaponize the trust Web3 teams place in open-source dependencies, turning routine installs into a path for wallet theft, secret harvesting, and staged malware delivery. The campaign is especially dangerous because it blends familiar Ethereum and blockchain branding with postinstall and preinstall abuse, allowing malicious code to execute…