It was awesome to have @firstyear back on #OpenSourceSecurity to chat about about passkeys
I was struggling to understand what a passkey actually is
Apparently is because the definition of what a passkey is has changed over time
There's so much to learn from this episode I don't even know where to start
https://opensourcesecurity.io/2026/2026-01-passkey-william-brown/
📝 New article by a CrowdSec Ambassador, Killian Prin-Abeil! 🎉
In this deep dive, Killian breaks down React2Shell (CVE-2025-55182), from how the RCE works in React Server Components to why Next.js apps are vulnerable by default.
He also explores how the community reacted in hours, with CrowdSec shipping a virtual patch and threat intel to reduce exposure immediately.
👉Read it here: https://crowdsec.net/blog/react2shell-overly-spicy-side-of-react-19
#react #NextJS #AppSec #opensourcesecurity #react2shell #CVE
RE: https://infosec.exchange/@joshbressers/115922663272346008
Wanna learn why #Suricata has meerkat as mascots? (And also much more about our project, from our lead developer).
Tune in for another great episode of #OpenSourceSecurity! ;)
This episode of #OpenSourceSecurity I discuss @suricata with @inliniac
Victor tells us all about the past, present, and future of #Suricata
I learned a ton
https://opensourcesecurity.io/2026/2026-01-suricata-victor-julien/
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=EBUBPBIvuT4
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=EBUBPBIvuT4
For the evening crowd: I was on @joshbressers's #OpenSourceSecurity podcast, chatting about iocaine. My first interview and video appearance in about a decade, and it was a lot of fun. Thanks Josh!
Also: there's now recent video proof that I am not a mouse! I even look presentable on the thumbnail, a marvelous feat.
Look here for the link.
This week on #OpenSourceSecurity I have a chat with @algernon about @iocaine
Iocaine creates a maze of garbage to trap scraping bots. I love this idea, it has amazing chaotic good energy!
I learn all about how Iocaine works, and even got to see some dashboards showing off the size of the problem and how Iocaine handles it all.
https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/
The EU has opened a consultation on open source as part of broader digital ecosystem planning.
Key themes include:
• Software supply-chain transparency
• Long-term sustainability of open-source infrastructure
• Reduced systemic dependency risks
• Scaling beyond grant-funded projects
The discussion positions open source as foundational to cybersecurity and resilience.
Source: https://www.theregister.com/2026/01/11/eu_open_source_consultation/
Share insights and follow @technadu for objective global InfoSec and policy updates.
#OpenSourceSecurity #SupplyChain #CyberResilience #TechPolicy #FOSS #InfoSec
Critical vulnerabilities were disclosed in InputPlumber affecting Linux systems, including SteamOS.
Impact highlights:
• Insufficient D-Bus authorization
• Potential keystroke injection via virtual devices
• Local denial-of-service and information exposure
The fixes emphasize secure Polkit usage, systemd hardening, and proper privilege boundaries.
Share insights and follow @technadu for vendor-neutral security reporting.
#InfoSec #LinuxHardening #VulnerabilityResearch #Polkit #D-Bus #OpenSourceSecurity
Finalmente una buona notizia. Speriamo!
n8n has disclosed a CVSS 10.0 vulnerability that could lead to authenticated remote code execution under certain conditions.
The issue affected both self-hosted and cloud deployments and has been addressed in a patched release. Temporary mitigations include reducing untrusted access and limiting high-risk nodes.
Another reminder that workflow automation platforms require the same threat modeling as core infrastructure.
Source: https://thehackernews.com/2026/01/n8n-warns-of-cvss-100-rce-vulnerability.html
Follow @technadu for objective infosec updates.
#Infosec #RCE #VulnerabilityDisclosure #OpenSourceSecurity #CloudRisk #DevSecOps
GHOSTCREW is an AI-assisted, open-source red team toolkit designed to coordinate established penetration testing tools through conversational prompts, task trees, and structured workflows.
Its approach reflects a broader shift toward agent-supported security testing - emphasizing orchestration, repeatability, and reporting rather than fully autonomous exploitation.
For security teams, this highlights the need to understand how AI-enhanced tooling changes both testing efficiency and defensive assumptions.
How should organizations account for agent-assisted red teaming in their security strategy?
Source: https://cybersecuritynews.com/ghostcrew-red-team-toolkit/
Follow @technadu for objective infosec reporting and analysis.
#InfoSec #RedTeamTools #Pentesting #AIinCyber #ThreatModeling #OpenSourceSecurity #TechNadu
This week on #OpenSourceSecurity I have a chat with @cadey about #Anubis, the tool that stops web AI scrapers
The scale of web scraping is way worse than I expected, and blocking things is also a lot harder than I expected
This is one of those conversations where I learned how little I know
wa-crypt-tools is an open-source toolkit for handling encrypted WhatsApp backups (.crypt12/.crypt14/.crypt15) when the legitimate key is available.
The project supports protobuf-based formats, integrates with forensic workflows, and is frequently cited in research on E2EE behavior, message retention, and backup security. It reinforces that encryption remains intact - access hinges on key control, not exploitation.
How do you see tools like this shaping future mobile forensic standards?
Source: https://cybersecuritynews.com/whatsapp-crypt-tool/
Engage in the discussion and follow @technadu for technically grounded security coverage.
#InfoSec #MobileForensics #EncryptionResearch #OpenSourceSecurity #PrivacyEngineering #TechNadu
This week on #OpenSourceSecurity I chat with @djc and @ctz about #Rustls. A lot has happened with Rustls in the last few years (and there's a lot more to come). Writing a TLS implementation is incredibly complicated, even when you don't have to worry about memory safety
https://opensourcesecurity.io/2025/2025-12-rustls-dirkjan-joe/
WebRat malware spreads via fake GitHub exploit repos — attackers are poisoning trust in open source to deliver payloads. Verify before you clone. 🧩⚠️ #OpenSourceSecurity #MalwareCampaign
On a very special Christmas episode of #OpenSourceSecurity I asked Daniel Thompson-Yvetot how the #CRA will impact Santa Claus
I meant the episode to be silly, just in time for Christmas, but I think I learned more from Daniel in those 50 minutes than I have in the last 3 years reading about CRA
It's an amazing episode filled with things to learn, and even some silly ideas :)
Also, Daniel has a new book you can enter a drawing for, instructions are at the end of the show
https://opensourcesecurity.io/2025/2025-12-daniel-cra-santa/
OpenSSF-funded improvements to Sigstore’s rekor-monitor are making transparency logs easier to monitor for malicious package releases and identity misuse.
Great work by @trailofbits, with support from the sigstore maintainer community including Hayden Blauzvern and @mihaimaruseac.
🔗 https://openssf.org/blog/2025/12/19/catching-malicious-package-releases-using-a-transparency-log/
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=EuEocYRN4ag
