#open source
19 stories taggedopen source.

When AI writes your code, your supply chain just got a new stranger in it
For years, defenders worried about which open-source parts sat inside their software. Now an AI assistant is quietly adding parts of its own, and nobody is quite sure who owns the risk.

North Korean Hackers Poisoned Over 100 Open Source Packages to Spy on Developers
A campaign called PolinRider has quietly corrupted legitimate software building blocks used by developers worldwide, planting tools that steal data and leave a hidden door open for attackers.

Flipper Zero firmware goes into maintenance mode as company hands the wheel to volunteers
The pocket-sized hacking gadget's maker is shrinking its firmware team and letting the community vote on what gets built next.

IBM and Red Hat Launch $5 Billion Initiative to Secure Open-Source Software
IBM and Red Hat invest heavily in Project Lightwell to address open-source software vulnerabilities revealed by Anthropic's AI.

Cordyceps Flaw Class Hands Attackers the Keys to 300+ GitHub Repos
A newly catalogued CI/CD weakness lets attackers hijack workflows at Microsoft, Google and Apache projects, researchers say.

Microsoft Pulls GitHub Repos After 73 Open-Source Projects Get Stealer-Spiked
The 'Miasma' incident looks less like a novel supply-chain zero-day and more like classic account takeover hitting a soft target: the org's own open-source footprint.

Six Flaws in protobuf.js Turn Serialized Schemas Into Execution Vectors
The JavaScript Protocol Buffers library — pulled 50 million times a week — ships patches for a cluster of CVEs that let attackers use schema metadata to run arbitrary code inside Node.js processes.

RubyGems Adds Installation Cooldown to Bundler as Supply Chain Defense
A configurable delay before newly published gems install gives the community time to spot malicious code before it reaches developer machines.

OWASP's CVE Lite CLI Puts Dependency Scanning in the Terminal
A new OWASP Incubator project lets developers scan project dependencies for known vulnerabilities from the command line — no dashboard, no subscription, no delay.

One Bad Character in a Host Header Breaks Auth for Thousands of FastAPI Apps
A parsing gap in Starlette lets unauthenticated requests reach protected routes — and the blast radius runs deep into the AI inference stack.

GlassWorm Is Down. The Repository Problem Isn't.
CrowdStrike, Google, and Shadowserver severed four C2 channels simultaneously. Meanwhile, 157 OSV false positives quietly eroded trust in the tools defenders depend on.

IBM and Red Hat Launch Project Lightwell to Tackle Open Source Vulnerabilities
With a $5 billion investment, Project Lightwell aims to expedite vulnerability remediation in open source software.

IBM and Red Hat Pledge $5 Billion to Lock Down Open Source Supply Chains via Project Lightwell
The initiative targets a deceptively hard problem: patching vulnerabilities in open source dependencies without breaking production workloads that millions of systems depend on.

Account Takeover Flaw in Pretalx CFP Tool Let Attackers Accept Any Conference Talk
An account takeover vulnerability in the open-source call-for-papers platform Pretalx could allow an unauthenticated attacker to manipulate submission outcomes, researchers at Novee have found.

Gitea Patches Unauthenticated Container Image Disclosure Flaw in 1.26.2
CVE-2026-27771 allowed anonymous pulls of private container images from all Gitea deployments prior to version 1.26.2, according to maintainers.