secbro42⚠️ CRITICAL EXPOSURE: Hacker-Controlled Code Executes Privileged Actions on CloudPirates Helm Charts, Leaks Sensitive Doc
#CVE2026 #CloudPirates #GitHubActions #HelmCharts #OpenSourceSecurity #cve #cybersecurity #iso27001
Josh BressersThis week on #OpenSourceSecurity I have a chat with Sal Kimmich about open source validation. Sal has some really interesting insight about what the future could look like. It's not patching faster, it's systemic solutions
https://opensourcesecurity.io/2026/2026-06-verification-sal-kimmich/
Open source verification with Sal Kimmich
Josh chats with Sal Kimmich about the current state of everything, and what we can expect next. Sal has some incredible insight into what we can expect to see due to the current wave of security bugs and incidents. There are some new features we will need in both our hardware and software to ward off the state of things. Since those features are years away, what we need in the short term is shoring up our SDLC programs. Sal has some really good medical examples and analogies for this one. It’s a huge problem but not insurmountable.
GrypeWe're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=UGUnqfA0VuA
SyftWe're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=UGUnqfA0VuA
Analyst207Malicious Packages Exploit Realistic Identities
Malicious open source packages are getting smarter, with 91% using realistic identities and naming-variant tactics to blend in with legitimate projects, making them harder to spot. This shift away from simple typosquatting tricks means developers need to be extra vigilant when adding dependencies to their workflows.
#MaliciousPackages #OpenSourceSecurity #SupplyChain #NamingvariantTactics #Typosquatting
Global Feed🚨 Neuer Angriff auf das NPM‑Ökosystem!
Am 23. Jan. 2024 wurden kritische JavaScript‑Pakete mit der Malware **“Shuffled NPM”** kompromittiert.
**Wichtig:**
- Prüft eure Abhängigkeiten ▶ Verwendet Hash‑Checks & automatisierte Scans.
- Folgt den Sicherheitswarnungen von npm‑security.
- Nutzt Lock‑Files & Monorepos, um ungewollte Updates zu verhindern.
Manuel BisseyTeamPCP compromised LiteLLM in a targeted AI supply-chain attack - AI tooling is rapidly becoming a high-value entry point for attackers. Trust in the AI stack must be earned continuously. 🤖📦 #AISupplyChain #OpenSourceSecurity
https://www.esecurityplanet.com/threats/teampcp-compromised-litellm-in-ai-supply-chain-attack/
This week on #OpensourceSecurity I chat with @caseyjohnellis about vulnerability disclosure
This is a pretty hip topic right now, and on any list of the best in the business, Casey is at the top
I guarantee anyone who listens to this one will learn something useful
https://opensourcesecurity.io/2026/2026-05-vulnerability-disclosure-casey-ellis/
Vulnerability disclosure with Casey Ellis
Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it’s ever been before. While finding vulnerabilities is easy, reporting them is still a lot of work. Casey is working on helping everyone better understand all this with his disclose.io project.
GitHub repositories were hit in the Megalodon supply-chain attack - malicious code hiding in trusted projects keeps proving one thing: dependencies are the new perimeter. 📦🦈 #SupplyChainAttack #OpenSourceSecurity
https://hackread.com/github-repositories-megalodon-supply-chain-attack/
We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=HlKQmWVn2Kc
