Josh Bressers

@[email protected]
2.6K Followers
881 Following
789 Posts
VP of Security at Anchore - Podcaster (http://opensourcesecuritypodcast.com http://hackerhistory.com) - Blogger (http://opensourcesecurity.io) - He/Him
Podcasthttps://opensourcesecurity.io/
Webhttps://bress.net
Cookies?Yes please
TTY1
Signaljoshbressers.01
Josh Bressers15h ago
Simon Willison16h ago
Warning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …

Simon Willison’s Weblog
Josh Bressers3d ago
Ian Campbell 🏴3d ago

Axios supply chain attack is interesting, partly because I'm not seeing NEARLY the traffic I'd expect to the C2 domain.

I expect some absolute chad caught it early and negotiated a very effective sinkhole.

Josh Bressers3d ago
yossarian (1.3.6.1.4.1.55738)3d ago

I clearly need to start a wall of “trusted publishing would have prevented this” incidents

Edit: but not axios, maybe! Looks like that one may be full maintainer account compromise.

Josh Bressers3d ago

The npm axios package was compromised. You know the drill

https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

axios compromised on npm: maintainer account hijacked, RAT deployed

Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.

Josh Bressers3d ago
daniel:// stenberg://4d ago
Hey OpenSSF, maybe talk to the peeps you work with and tell them to NOT do it like this: https://github.com/curl/wcurl/issues/90
Josh Bressers4d ago
sjvn5d ago
Close enough.
Josh Bressers4d ago

This week I had a chat with Michael Winser about securing open source at scale

We recorded prior to the events of the last few weeks, everything Michael talks about with securing our infrastructure is spot on

We touch on package repositories, Alpha Omega, foundations, and more. Michael is doing some really interesting work

https://opensourcesecurity.io/2026/2026-03-michael-winser/

#opensource #alphaomega #supplyChainSecurity

Open Source Security at scale with Michael Winser

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.

Open Source Security
Josh BressersMar 26
daniel:// stenberg://Mar 26

Don’t trust, verify

https://daniel.haxx.se/blog/2026/03/26/dont-trust-verify/

#curl

Don’t trust, verify

Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →

daniel.haxx.se
Show threadJosh BressersMar 25

I wrote this up in a bit more detail in a clickbait titled article

https://opensourcesecurity.io/2026/03-open-source-eulogy/

Eulogy for open source

Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.

Open Source Security
Josh BressersMar 25
Show threadAnnika BackstromMar 25
@joshbressers i'm switching to closed-source corporate software, which is famously bug- and vulnerability-free