open source software supply chain
‘Polyfill’ Supply Chain Threat: 4x Worse Than We Thought
Spackle attack: Chinese company takes over widely used free web service—almost 400,000 websites at risk ...
‘Perfect 10’ Apple Supply Chain Bug — Millions of Apps at Risk of CocoaPods RCE
Tim looks grim: 10 year old vulnerabilities in widely used dev tool include a CVSS 10.0 remote code execution bug ...
GitHub Fights Forks — Millions of Them — Huge Software Supply Chain Security FAIL
Forking hell: Scrotebots clone thousands of projects, injecting malware millions of times ...
Two Campaigns Drop Malicious Packages into NPM
The popular NPM code registry continues to be a target of bad actors looking to sneak their malicious packages into open-source code used by software developers. Researchers with Fortinet’s FortiGuard Labs this ...
Broken ARM: Mali Malware Pwns Phones
Exploited in the wild: Yet more use-after-free vulns in Arm’s Mali GPU driver ...
Patch EVERYTHING: Widely Used ‘WebP’ Code has Critical Bug
WebP FAIL. Critical vuln in libwebp: Go get updates to Chrome, Firefox, Edge, Slack and more ...
CISA Put Securing Open Source Software on the Roadmap
The government’s top cybersecurity agency is laying out steps it says are necessary to ensure that open source software, which is increasingly ubiquitous in modern IT environments, is secure. The eight-page document ...
Google Vulnerability Reward Program Focuses on Open Source Software
Google’s bug bounty program will be expanded to include a special open source section called the Open Source Software Vulnerability Rewards Program (OSS VRP), the company announced on its security blog. Through ...
OpenSSF Seeks $150M+ to Address Open Source Software Security
The Open Source Security Foundation (OpenSSF) this week outlined a plan to better secure open source software by focusing on 10 streams of investment that, in total, would require more than $150 ...
Google Contributes $1M to Reward Developers for OSS Security
Google today launched a Secure Open Source (SOS) pilot program, managed by the Linux Foundation, through which it will set aside $1 million to compensate developers that work on initiatives to better ...
