Tag: open-source
-
Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain
The rebuilt Chainguard platform adds deeper security designed to continuously reconcile open-source artifacts across containers, libraries, Actions and skills. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/chainguard-factory-automate-hardening-software-supply-chain
-
Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain
The rebuilt Chainguard platform adds deeper security designed to continuously reconcile open-source artifacts across containers, libraries, Actions and skills. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/chainguard-factory-automate-hardening-software-supply-chain
-
Microsoft releases open-source toolkit to govern autonomous AI agents
AI agents can book travel, execute financial transactions, write and run code, and manage infrastructure without human intervention at each step. Frameworks like LangChain, … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/03/microsoft-ai-agent-governance-toolkit/
-
Open-Source FIM: Freely Available. But What Makes Them Expensive?
<div cla In a previous article, we explained why it is worth licensing File Integrity Monitoring (FIM) rather than using open-source alternatives. The decision is not “free vs paid”; it is about streamlined access to the risk management capabilities of FIM and controlling costs. CimTrak is a purpose-built system that produces control and evidence through…
-
JFrog deckt Angriff auf ein Schwergewicht der KI-Entwicklung auf
Der Angriff zeigt einmal mehr, wie verwundbar die moderne Softwareentwicklung geworden ist. Open-Source-Bibliotheken sind das Fundament zahlloser Anwendungen First seen on infopoint-security.de Jump to article: www.infopoint-security.de/jfrog-deckt-angriff-auf-ein-schwergewicht-der-ki-entwicklung-auf/a44490/
-
The State of Trusted Open Source Report
In December 2025, we shared the first-ever The State of Trusted Open Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. These insights shed light on what teams pull, deploy, and maintain day to day, alongside…
-
Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company’s systems. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/31/mercor-says-it-was-hit-by-cyberattack-tied-to-compromise-of-open-source-litellm-project/
-
Axios open-source library targeted in sophisticated supply chain attack
Researchers link the compromise to a North Korean adversary and warn the impacts could be wide ranging. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/axios-open-source-library-targeted-in-sophisticated-supply-chain-attack/816343/
-
Mutation testing for the agentic era
Tags: ai, api, authentication, blockchain, framework, guide, metric, open-source, risk, rust, skills, software, switch, tool, vulnerabilityCode coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered…
-
New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation, Patch Released
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard.”Use-after-free in Dawn in Google Chrome prior…
-
Google Says North Korea Was Behind the Axios npm Supply Chain Attack
A supply chain compromise involving the widely used JavaScript package Axios is now being tied to a North Korea-linked threat actor, turning what already looked like a serious open-source incident into a much bigger security story. Google Threat Intelligence Group said the attack targeted the official Axios package on npm and attributed the activity to……
-
(g+) Situation Monitors vs. Osint: Desinformation statt Intelligence
Situation Monitors über den Iran schaffen Verwirrung, nicht Aufklärung – zumindest solange man nicht zwischen Open Source Information und Open Source Intelligence unterscheidet. First seen on golem.de Jump to article: www.golem.de/news/situation-monitors-vs-osint-desinformation-statt-intelligence-2603-207025.html
-
AI Startup Mercor Hit by Supply Chain Attack Linked to LiteLLM
Tags: ai, attack, breach, cyberattack, data, data-breach, malicious, open-source, risk, software, startup, supply-chainA recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project. First seen…
-
AI Startup Mercor Hit by Supply Chain Attack Linked to LiteLLM
Tags: ai, attack, breach, cyberattack, data, data-breach, malicious, open-source, risk, software, startup, supply-chainA recent Mercor cyberattack has brought renewed attention to the risks associated with open-source software dependencies, after the AI recruiting startup confirmed it was impacted by a broader supply chain compromise. The Mercor data breach, which is still under investigation, has been linked to a malicious incident involving the widely used LiteLLM project. First seen…
-
Javascript-Bibliothek: Nordkoreanische Hacker sollen hinter Axios-Hack stecken
Millionen Entwickler nutzen die Axios-Bibliothek. Hinter dem Schadsoftware-Angriff auf das Open-Source-Projekt stecken womöglich nordkoreanische Hacker. First seen on golem.de Jump to article: www.golem.de/news/javascript-bibliothek-nordkoreanische-hacker-sollen-hinter-axios-hack-stecken-2604-207133.html
-
Anthropic employee error exposes Claude Code source
Tags: access, ai, computer, control, credentials, cybercrime, data, data-breach, malicious, open-source, service, technology, tool, vulnerabilityCSO, “no sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We’re rolling out measures to prevent this from happening again.”But it wasn’t the first time this had happened; according to Fortune and other news sources, the same thing happened last…
-
Mercor says it was hit by cyberattack tied to compromise of open-source LiteLLM project
The AI recruiting startup confirmed a security incident after an extortion hacking crew took credit for stealing data from the company’s systems. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/31/mercor-says-it-was-hit-by-cyberattack-tied-to-compromise-of-open-source-litellm-project/
-
Synthetic data is all you need for Reinforcement Learning
We used Tonic Fabricate to generate a fully synthetic email corpus, then RL fine-tuned an open-source model against it. The result: it beat o3 on real Enron emails, without ever seeing a real email. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/synthetic-data-is-all-you-need-for-reinforcement-learning/
-
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack
Tags: ai, attack, breach, cloud, control, credentials, crypto, github, incident response, linux, LLM, macOS, malicious, malware, monitoring, open-source, openai, powershell, pypi, rat, spam, supply-chain, tool, windowspostinstall hook that would execute a dropper script when it was pulled in by a different package as a dependency.Shortly after midnight UTC on March 31 a new version of the Axios package, axios@1.14.1, was published on npm followed by axios@0.30.4 39 minutes later. Both listed plain-crypto-js@4.2.1 as a dependency in their package.json files, but…
-
Supply chain attack on Axios npm package: Scope, impact, and remediations
Tags: access, api, attack, breach, cloud, control, credentials, crypto, data, data-breach, defense, exploit, incident response, macOS, malicious, malware, open-source, rat, risk, security-incident, software, supply-chain, theft, threat, vulnerability, windowsThe Axios npm package has been compromised in a supply chain attack that uploaded new versions of the package containing malicious code. Any environment that downloaded these compromised Axios versions is at risk of severe data theft, including the loss of credentials and API keys. Scan your environment now. Key takeaways This incident is a…
-
North Korean hackers blamed for hijacking popular Axios open source project to spread malware
A hacker inserted malware in Axios, an open source web tool downloaded tens of millions of times weekly, in a widespread hack. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/31/hacker-hijacks-axios-open-source-project-used-by-millions-to-push-malware/
-
North Korean hackers blamed for hijacking popular Axios open-source project to spread malware
A hacker inserted malware in Axios, an open-source web tool downloaded tens of millions of times weekly, in a widespread hack. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/31/hacker-hijacks-axios-open-source-project-used-by-millions-to-push-malware/
-
Attack on axios software developer tool threatens widespread compromises
Researchers at numerous firms are sounding warnings about the supply-chain attack on an open-source project with 100 million weekly downloads. First seen on cyberscoop.com Jump to article: cyberscoop.com/axios-software-developer-tool-attack-compromise/
-
Hacker hijacks Axios open-source project, used by millions, to push malware
A hacker inserted malware in Axios, an open-source web tool downloaded tens of millions of times weekly, in a widespread hack. First seen on techcrunch.com Jump to article: techcrunch.com/2026/03/31/hacker-hijacks-axios-open-source-project-used-by-millions-to-push-malware/
-
How we made Trail of Bits AI-native (so far)
Tags: access, ai, application-security, attack, automation, blockchain, business, ceo, chatgpt, computer, computing, conference, control, data, email, germany, government, identity, injection, jobs, macOS, marketplace, nvidia, open-source, risk, service, skills, strategy, supply-chain, technology, threat, tool, vulnerabilityThis post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides. Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead.…
-
Situation Monitors vs. Osint: Desinformation statt Intelligence
Situation Monitors über den Iran schaffen Verwirrung, nicht Aufklärung – zumindest solange man nicht zwischen Open Source Information und Open Source Intelligence unterscheidet. First seen on golem.de Jump to article: www.golem.de/news/situation-monitors-vs-osint-desinformation-statt-intelligence-2603-207025.html
-
Rspamd 4.0.0 ships memory savings, a new scan protocol, and a required migration step
The open-source spam filtering platform Rspamd released version 4.0.0, delivering infrastructure changes across its scan protocol, memory model, hash storage, and … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/03/31/rspamd-4-0-0-released/
-
Situation Monitors vs Osint: Desinformation statt Intelligence
Situation Monitors über den Iran schaffen Verwirrung, nicht Aufklärung – zumindest solange man nicht zwischen Open Source Information und Open Source Intelligence unterscheidet. First seen on golem.de Jump to article: www.golem.de/news/situation-monitors-vs-osint-desinformation-statt-intelligence-2603-207025.html