This week on #OpenSourceSecurity I had a chat with Paul Kehrer and Alex Gaynor about the statement they published discussing the challenges posed by modern OpenSSL for the python cryptography module
It was a super fun discussion, I learned a ton, and it highlights the open source question about what happens when one of your dependencies isn't a great fit anymore
https://opensourcesecurity.io/2026/2026-03-cryptography-alex-paul/
I had a chat on #OpenSourceSecurity with @sylvestre about his Rust coreutils work
Replacing coreutils with Rust is one of those things that I love as a way to improve security but also keep a project fresh in the modern age
I learned a ton from this disucssion
https://opensourcesecurity.io/2026/2026-03-rust-coreutils-sylvestre-ledru/
Supply chain security meets reproducible builds.
ExpressVPN is sponsoring PlanetNix 2026, highlighting the intersection of privacy, open-source infrastructure, and build reproducibility.
Event focus areas:
• Deterministic builds
• Secure deployment pipelines
• DevSecOps integration
• Team-level onboarding models
• Production-grade Nix environments
Reproducibility is increasingly tied to:
– Software supply chain integrity
– Auditability
– Compliance frameworks
– Infrastructure security baselines
As build determinism becomes more relevant to threat modeling, open-source tooling like Nix may play a critical role.
Source: https://planetnix.com/
Are reproducible systems now essential for modern security architecture?
Engage in the comments.
Follow TechNadu for high-signal infosec reporting.
Repost to amplify open-source security discussions.
#Infosec #DevSecOps #SupplyChainSecurity #ReproducibleBuilds #NixOS #OpenSourceSecurity #ExpressVPN #CloudSecurity #InfrastructureSecurity #ThreatModeling
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=FazSzP_Kty4
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=FazSzP_Kty4
Open Infrastructure Spotlight at FOSSASIA Summit 2026
ExpressVPN is leveraging its Platinum Sponsorship to host a media booth dedicated to open-source maintainers.
Focus areas:
• Maintainer roadmaps
• Security philosophy in OSS
• Open infrastructure resilience
• Community-driven development
With supply-chain risk and dependency transparency dominating 2026 security conversations, maintainers play a critical role in ecosystem stability.
If you're building open tools that impact security, privacy, or infrastructure - stop by and share your perspective.
Source: https://x.com/expressvpn/status/2024706099320934467?s=20
Comment below:
What’s the biggest security challenge facing open-source projects this year?
Follow @technadu for in-depth open-source and cybersecurity coverage.
#Infosec #OpenSourceSecurity #FOSSASIA2026 #Maintainers #SoftwareSupplyChain #OpenInfrastructure #CyberSecurity #DevSecOps #OSS #SecurityCommunity
This week on #OpenSourceSecurity I chat with Brad Axen about Goose and the Agentic AI Foundation
I'm often skeptical about AI claims, but I do approve the foundation model and seeing Goose donated to it
Brad has some good insights into what we're seeing and what's probably coming in the future. It's hard to keep track of everything happening
https://opensourcesecurity.io/2026/2026-02-goose-aaif-brad-axen/
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=-Unu5gZ8Cxc
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=-Unu5gZ8Cxc
The software supply chain is already broken. SBOMs help you see where.
Learn how to make software visibility your first step.
https://jeffbailey.us/blog/2026/02/06/what-is-sbom/
#Software #SBOM #SoftwareSupplyChain #AppSec #OpenSourceSecurity #DevSecOps #OSS #SRE #PlatformEngineering
Switzerland Operationalizes 24-Hour Critical Infrastructure Cyber Reporting
The National Cyber Security Centre (NCSC) processed ~65,000 incident reports in 2025, including 222 under the newly mandated 24-hour reporting requirement under the ISG/CSV framework.
Operational enhancements included:
• Expanded Cyber Security Hub (1,600 members)
• 4,615 incident artifacts exchanged via MISP
• Increased bug bounty deployment across federal IT
• Open-source vulnerability testing (TYPO3, QGIS)
• CHF 18.4M total expenditure, including CHF 3.8M IT investment
This represents a mature shift toward structured national cyber governance: centralized intake, intelligence enrichment, proactive vulnerability reduction, and enforceable compliance.
From an operational standpoint, rapid disclosure requirements tighten detection cycles and strengthen cross-sector signal correlation.
Is mandatory reporting the future baseline for critical infrastructure defense?
Follow @technadu for global cyber governance and threat intelligence analysis.
#Infosec #NCSC #MISP #CyberGovernance #CriticalInfrastructure #BugBounty #OpenSourceSecurity #ThreatIntelligence
The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.
Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators
Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation
This is a direct developer-layer attack bypassing enterprise perimeter defenses.
Are dependency registries the new primary attack surface?
Engage below.
Follow @technadu for advanced threat analysis.
#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec
REMnux v8 represents a structural modernization of a long-standing malware analysis distribution.
Technical highlights:
• Migration to Ubuntu 24.04 (modern kernel + LTS support)
• Cast-based installer replacing legacy CLI deployment
• AI-assisted workflows via MCP server
• Integration support for Ghidra with AI plugins
Tooling refresh includes:
YARA-X (Rust rewrite for performance improvements)
GoReSym (symbol recovery for Go binaries)
APKiD (Android packer detection)
Manalyze (PE/ELF/MachO static parsing)
This release signals an industry shift toward AI-augmented reverse engineering pipelines.
Is AI-assisted RE the new baseline for threat labs?
Source: https://cyberpress.org/remnux-v8-released/
Engage below.
Follow @technadu for deep technical cybersecurity updates.
#ThreatResearch #MalwareAnalysis #ReverseEngineering #YARAX #GoBinary #DFIR #Infosec #AIinSecurity #BlueTeam #StaticAnalysis #OpenSourceSecurity #SOC #ThreatHunting
We welcome the launch of http://db.gcve.eu, an open, European-operated vulnerability advisory database strengthening digital sovereignty and multi-source intelligence.
At CrowdSec, we believe this multi-source, sovereignty-driven approach is essential. And we complement it with real-world exploitation evidence from production telemetry through our Live Exploit Tracker.
Defenders don’t just need more data; they need trustworthy, actionable signals.
👉 Read more: https://crowdsec.net/blog/crowdsec-welcomes-db-gcve-eu-boosting-europes-vulnerability-intelligence
#cybersecurity #vulnerabilityintelligence #digitalsovereignty #opensourcesecurity #threatintelligence
Tirith introduces proactive detection for homoglyph and terminal-injection attacks directly inside the shell.
By analyzing commands locally and blocking execution when deceptive Unicode, unsafe pipelines, or typosquatted sources are detected, the tool addresses a blind spot left by browser-centric defenses. Its zero-telemetry, no-network design makes it suitable for sensitive environments.
💬 Is CLI-level defense overdue in enterprise security stacks?
🔔 Follow @technadu for emerging defensive tooling
#InfoSec #DevSecOps #TerminalSecurity #OpenSourceSecurity #PhishingDefense #CyberTools #TechNadu
🚨 Patreon exclusive tomorrow! 🚨
February Bonus Episode of Impractical Privacy:
OS Ops. Securing your Desktop.
🔐 We break down the hidden telemetry, hard‑ening tricks, and how to throw Whonix or Tails into the mix for that extra layer of anonymity.
👥 Only for my Patreon Big Fans—thank you for keeping the lights on and the data safe.
▶️ Listen now: https://www.patreon.com/c/SudoBurnToast
#ImpracticalPrivacy #PrivacyTools #SurveillanceState #DigitalSelfDefense #OpenSourceSecurity #Windows #macOS #Linux
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=0GtI0pEWpzI
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=0GtI0pEWpzI
The Eclipse Foundation is moving Open VSX Registry security upstream by introducing pre-publish extension verification, transitioning from reactive incident response to proactive risk reduction.
Checks are designed to flag impersonation, exposed secrets, and known malicious patterns, with suspicious submissions quarantined for review. The phased rollout aims to minimize false positives while improving ecosystem trust.
This aligns with broader trends in securing developer tooling and shared infrastructure against supply-chain abuse.
Source: https://thehackernews.com/2026/02/eclipse-foundation-mandates-pre-publish.html
💬 How effective do you expect pre-publish controls to be in open-source ecosystems?
Follow @technadu for objective infosec reporting.
#Infosec #SupplyChainSecurity #OpenSourceSecurity #DevSecOps #VSCode #TechNadu
