Tag: open-source
-
OutBounds-Write-Fehler – Sicherheitslücke in Open-Source-Bibliothek FreeType
First seen on security-insider.de Jump to article: www.security-insider.de/sicherheitsluecke-freetype-schutzmassnahmen-a-271a5ff09f3ce56811b5be822e1eaefe/
-
Dependency-Check: Open-source Software Composition Analysis (SCA) tool
Dependency-Check is an open-source Software Composition Analysis (SCA) tool to identify publicly disclosed vulnerabilities within a project’s dependencies. The tool … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/03/19/dependency-check-open-source-software-composition-analysis-sca-tool/
-
Google Releases Major Update for Open Source Vulnerability Scanner
Google has integrated OSV-SCALIBR features into OSV-Scanner, its free vulnerability scanner for open source developers. The post Google Releases Major Update for Open Source Vulnerability Scanner appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/google-releases-major-update-for-open-source-vulnerability-scanner/
-
Google Expands OSV-Scanner with New Features for Open-Source Security
Google has introduced the OSV-Scanner tool, a crucial addition to the open-source security ecosystem. Alongside it, Google also released OSV-SCALIBR, a library designed to streamline vulnerability management across multiple software ecosystems. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/google-osv-scanner-tool/
-
Hackers target AI and crypto as software supply chain risks grow
The growing sophistication of software supply chain attacks is driven by widespread flaws in open-source and third-party commercial software, along with malicious campaigns … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/03/18/software-supply-chain-risks/
-
Google Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities
Google has announced the launch ofOSV-Scanner V2, an open-source tool designed to enhance vulnerability scanning and remediation across various software ecosystems. This update follows the recent release of OSV-SCALIBR, another powerful tool in the OSV suite, which together form a comprehensive platform for managing vulnerability metadata and streamlining vulnerability detection and management. Key Features of OSV-Scanner…
-
GitHub restores code following malicious changes to tj-actions tool
GitHub was forced to take action this weekend to help users after a threat actor compromised a popular open source package used by more than 23,000 organizations. First seen on therecord.media Jump to article: therecord.media/github-restores-code-malicious-tj-actions-changes
-
Exploit Code for Apache Tomcat RCE Vulnerability Published on Chinese Forum
Exploits swirling for remote code execution vulnerability (CVE-2025-24813) in open-source Apache Tomcat web server. The post Exploit Code for Apache Tomcat RCE Vulnerability Published on Chinese Forum appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/exploit-code-for-apache-tomcat-rce-vulnerability-published-on-chinese-forum/
-
Supply Chain Attack Targets GitHub Repositories and Secrets
Over 23,000 Code Repositories at Risk After Malicious Code Added to GitHub Action. Attackers subverted a widely used tool for software development environment GitHub, potentially allowing them to steal secrets from thousands of private code repositories as well as compromise other, widely used open source libraries, binaries and artifacts that use the tool, experts warned.…
-
âš¡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More
Tags: attack, cybersecurity, exploit, finance, fraud, group, Hardware, malware, open-source, pypi, ransomware, router, supply-chain, threat, toolFrom sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source First…
-
Tj-actions Supply Chain Attack Exposes 23,000 Organizations
Researchers warn that popular open source software package tj-actions has been compromised First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/tjactions-supply-chain-attack/
-
AI development pipeline attacks expand CISOs’ software supply chain risk
Tags: access, ai, api, application-security, attack, backdoor, breach, business, ciso, cloud, container, control, cyber, cybersecurity, data, data-breach, detection, encryption, exploit, flaw, fortinet, government, infrastructure, injection, intelligence, LLM, malicious, malware, ml, network, open-source, password, penetration-testing, programming, pypi, risk, risk-assessment, russia, saas, sbom, service, software, supply-chain, threat, tool, training, vpn, vulnerabilitydevelopment pipelines are exacerbating software supply chain security problems.Incidents of exposed development secrets via publicly accessible, open-source packages rose 12% last year compared to 2023, according to ReversingLabs (RL).A scan of 30 of the most popular open-source packages found an average of six critical-severity and 33 high-severity flaws per package.Commercial software packages are also a…
-
eSentire Labs Open Sources Project to Monitor LLMs
The eSentire LLM Gateway provides monitoring and governance of ChatGPT and other large language models being used in the organization. First seen on darkreading.com Jump to article: www.darkreading.com/cybersecurity-analytics/esentire-labs-open-sources-project-to-monitor-llms
-
IntelMQ: Open-source tool for collecting and processing security feeds
IntelMQ is an open-source solution designed to help IT security teams (including CERTs, CSIRTs, SOCs, and abuse departments) streamline the collection and processing of … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/03/17/intelmq-open-source-collecting-processing-security-feeds/
-
The most notorious and damaging ransomware of all time
Tags: access, android, attack, backdoor, backup, banking, botnet, breach, communications, computer, control, credentials, cryptography, cyber, cybercrime, dark-web, data, defense, detection, email, encryption, endpoint, exploit, extortion, finance, flaw, framework, germany, google, government, group, hacker, hacking, healthcare, infection, infrastructure, international, jobs, korea, law, lazarus, leak, linux, malicious, malware, microsoft, mobile, msp, network, north-korea, office, open-source, oracle, password, phishing, phone, powershell, ransom, ransomware, russia, service, software, spam, switch, technology, threat, tool, ukraine, update, usa, virus, vulnerability, windowsConti: History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organizations and earned millions of dollars for its criminal developers and their affiliates. At least three new versions have been found since its inception.How it works: Conti uses the…
-
Pre-authentication SQL Injection to RCE in GLPI (CVE-2025-24799 / CVE-2025-24801)
Summary A significant vulnerability has been identified in GLPI, a popular open-source IT asset management tool. This vulnerability, tracked as CVE-2025-24799 and CVE-2025-24801, allows an First seen on research.kudelskisecurity.com Jump to article: research.kudelskisecurity.com/2025/03/14/pre-authentication-sql-injection-to-rce-in-glpi-cve-2025-24799-cve-2025-24801/
-
New Cyber Attack Targets PyPI Users to Steal Cloud Tokens and Sensitive Data
A recent discovery by ReversingLabs researchers has unveiled a malicious cyber attack targeting the Python Package Index (PyPI) users, a popular platform for Python developers. This sophisticated campaign involves malicious packages masquerading as time-related utilities, but are designed to steal sensitive data, including valuable cloud tokens. The attack highlights the increasing vulnerability of open-source repositories…
-
FreeType Zero-Day Being Exploited in the Wild
Meta’s Facebook security team warns of live exploitation of a zero-day vulnerability in the open-source FreeType library. The post FreeType Zero-Day Being Exploited in the Wild appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/freetype-zero-day-being-exploited-in-the-wild/
-
CVE-2025-27363: FreeType Vulnerability in Meta Exploited in the Wild
Meta has issued a security advisory regarding a newly discovered vulnerability in the FreeType open-source font rendering library. Tracked as CVE-2025-27363, this flaw has been assigned a CVSS score of 8.1, categorizing it as a high-severity issue. Security experts warn… First seen on sensorstechforum.com Jump to article: sensorstechforum.com/cve-2025-27363-freetype-meta-vulnerability/
-
Apache NiFi Vulnerability Exposes MongoDB Credentials to Attackers
A critical security vulnerability has been identified in Apache NiFi, a popular open-source data integration tool. The vulnerability, tracked as CVE-2025-27017, allows authorized users with read access to the system to view sensitive credentials used to connect to MongoDB databases. This security flaw affects multiple versions of Apache NiFi, prompting urgent action from users to…
-
GitHub Uncovers New ruby-saml Vulnerabilities Allowing Account Takeover Attacks
Two high-severity security flaws have been disclosed in the open-source ruby-saml library that could allow malicious actors to bypass Security Assertion Markup Language (SAML) authentication protections.SAML is an XML-based markup language and open-standard used for exchanging authentication and authorization data between parties, enabling features like single sign-on (SSO), which allows First seen on thehackernews.com Jump…
-
Hackers Exploiting JSPSpy To Manage Malicious Webshell Networks
Tags: access, cyber, cybersecurity, exploit, hacker, infrastructure, malicious, network, open-sourceCybersecurity researchers have recently identified a cluster of JSPSpy web shell servers featuring an unexpected addition, Filebroser, a rebranded version of the open-source File Browser file management tool. This discovery sheds light on how attackers continue to leverage web shells for persistent access and post-compromise operations while blending into legitimate infrastructure. JSPSpy With Webshell Infrastructure…
-
FreeType Vulnerability Actively Exploited for Arbitrary Code Execution
A significant vulnerability has been identified in the FreeType library, a widely used open-source font rendering engine. This vulnerability tracked as CVE-2025-27363, is being actively exploited and may lead to arbitrary code execution on affected systems. Overview of the Vulnerability: The vulnerability exists in FreeType versions 2.13.0 and below, specifically when the library attempts to…
-
Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk
Meta has warned that a security vulnerability impacting the FreeType open-source font rendering library may have been exploited in the wild.The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. Described as an out-of-bounds write flaw, it could be exploited to achieve remote code execution when…
-
Unternehmen ertrinken in Software-Schwachstellen
Tags: ai, cve, cyersecurity, framework, open-source, risk, software, strategy, supply-chain, vulnerability, xssDie durchschnittliche Behebungszeit für Sicherheitslücken ist in den vergangenen fünf Jahren deutlich gestiegen. Laut dem aktuellen State of Software Security Report von Veracode ist die durchschnittliche Behebungszeit für Sicherheitslücken in den vergangenen fünf Jahren von 171 auf 252 Tage gestiegen.Darüber hinaus weist die Hälfte (50 Prozent) der Unternehmen inzwischen eine risikoreiche “Sicherheitsschuld” auf, die länger…