Lmst

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=vQTvAPCvr2c

Governance: because even code needs structure and curfews. #LicenseClearance #OpenSourceSecurity #Governance

Flat style illustration showing a parent teaching a child beside a checklist, used as a metaphor for open source governance. The visual supports the message that clear boundaries, guidance, and routine check-ins lead to reliable software releases. Includes icons like a lightbulb and checkmark to represent good practices in software compliance and SCA.

Authorities in Russia report that they dismantled a group using NFCGate-based malware distributed through messaging apps to collect card data and perform unauthorized ATM withdrawals.

Reported losses exceed 200M rubles, and researchers continue to track increasingly advanced NFCGate variants used in financial fraud across multiple regions.

What detection or policy mechanisms do you think can most effectively limit the misuse of open-source NFC tooling?

Source: https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

Follow us for steady, unbiased threat-research coverage.

#InfoSec #Cybersecurity #ThreatResearch #FinancialFraud #MobileSecurity #Malware #NFC #OpenSourceSecurity #FraudAnalysis #CyberAwareness #SecurityCommunity

Russian police bust bank-account hacking gang that used NFCGate-based malware

This week on #OpenSourceSecurity I chat with Jamie Tanna about updating open source dependencies. It's usually not as simple as "just update" and Jamie has a ton of real world experience in this working on Renovate

https://opensourcesecurity.io/2025/2025-12-renovate-jamie/

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=imLWFmYfVbQ

Secure by Design. Privacy by Default.
Whonix is built on Kicksecure-hardened Debian and runs inside VMs — so your IP, identity & data stay protected.

#Whonix #CyberSecurity #Kicksecure #PrivacyMatters #SecureByDesign #PrivacyByDefault #Anonymity #TorNetwork #VMsecurity #DataProtection #CyberDefense #SecurityHardened #OpenSourceSecurity #DigitalPrivacy

With 97% of developers now using AI coding tools at work, the question isn’t if AI is in your codebase. It’s where.

We take a closer look at how AI-generated code can alter your software supply chain, sometimes in ways you won’t notice until it's too late.

👉 See our thoughts on managing AI-driven risk with confidence.

🔗 https://bit.ly/3Xyi5bH

#SoftwareSupplyChain #AIinEngineering #DevSecOps #OpenSourceSecurity #SoftwareSecurity #AIGeneratedCode #SecureDevelopment #ActiveState

This episode of #OpenSourceSecurity I chat with Alex Zenla from Edera about the #TARmageddon vulnerability they found

I've coordinated a lot of vulnerabilities in my day, but never have I had to even think about something as difficult as this one. Alex fills us in on how it was found, what the coordination looked like, and some things to think about as we manage these incredibly complex supply chains

https://opensourcesecurity.io/2025/2025-12-tarmageddon-alex/

Enhancing the software supply chain starts long before code reaches a scanner. It begins with the quality of the open-source components you bring into your ecosystem.

In our latest post, we break down why upstream integrity matters now and how a curated, source-built catalog is becoming a quiet advantage for more resilient software supply chains.

Link to post: https://www.activestate.com/resources/quick-reads/top-benefits-of-software-supply-chain-security-tools

#SoftwareSupplyChain #OpenSourceSecurity #SupplyChainSecurity #SecureByDesign #DevSecOps #AppSec

🚨 Another npm supply-chain attack hit this week — the Shai-Hulud worm resurfaced, embedding credential-harvesting code into legitimate packages and executing through install scripts.

Once triggered, it collected environment variables and secrets, then propagated by publishing compromised packages under names that looked trustworthy.

Here’s a resource that can help your team stay ahead of attacks like this:

👉 https://www.activestate.com/blog/protect-your-team-from-future-npm-attacks-with-activestate/

#DevSecOps #SupplyChainSecurity #npm #OpenSourceSecurity

#OpenSourceSecurity has a chat with @sethmlarson about @ThePSF security

Seth has a new whitepaper, there's a CFP open (which you should submit a paper to), and some discussion about the PSF grant situation

It's always fun to chat with Seth, I learn a ton every time!

https://opensourcesecurity.io/2025/2025-11-python-security-seth-larson/

🐛 Oh joy, another thrilling episode of "Whack-a-Mole: Software Edition," where 300+ NPM packages show us that open source security is an oxymoron! 🎉 #HelixGuard struts in with their clipboard and magnifying glass, ready to save the day—right after the damage is done. 🔍📝
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24 #openSourceSecurity #NPMpackages #softwareVulnerabilities #cybersecurity #HackerNews #ngated

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=REMLniQyhkE

The EU Cyber Resilience Act (CRA) is about to fundamentally change how software teams build and ship products in the EU.

We break down how teams can prepare without slowing innovation.

Link to the full guide: https://www.activestate.com/blog/eu-cyber-resilience-act-and-secure-open-source-and-containers/

#EUCRA #DevSecOps #OpenSourceSecurity #SecureSoftware #ContainerSecurity

On this episode of #OpenSourceSecurity I chat with @hughsie about the Linux Vendor Firmware Service (LVFS)

While it's amazing we can update firmware from Linux now, it was a ton of work to get us here

If you have gear that doesn't work with LVFS, make sure you ask the vendor why not (and support the hardware folks who do support LVFS)

https://opensourcesecurity.io/2025/2025-11-lvfs-richard-hughes/

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=9a2smJppw0Y

#opensourcesecurity

Client Info