Josh Bressers

@[email protected]
2.6K Followers
881 Following
793 Posts
VP of Security at Anchore - Podcaster (http://opensourcesecuritypodcast.com http://hackerhistory.com) - Blogger (http://opensourcesecurity.io) - He/Him
Podcasthttps://opensourcesecurity.io/
Webhttps://bress.net
Cookies?Yes please
TTY1
Signaljoshbressers.01
Josh Bressers4h ago
Andrew Nesbitt4h ago
Who Built This? https://nesbitt.io/2026/04/07/who-built-this.html
Who Built This?

Tracing a dependency back to its source commit.

Andrew Nesbitt
Josh Bressers7h ago
Paul Asadoorian7h ago
I use Arch btw
Josh Bressers9h ago
Space Rogue9h ago

Companies will put up all kinds obstacles to responsible disclosure for researchers to get around to make their own lives easier. But they often forget that in the end it is researcher who calls the shots. It is the researchers vuln and they can do whatever they want with it.

https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/#comments

#vulnerability #disclosure #responsibledisclosure #windows #microsoft

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions.

BleepingComputer
Josh Bressers1d ago

I had a chat with @andrewnez about why creating a new package repository is so hard. There are a ton of little details like support from SBOM and vulnerability scanners nobody even thinks about usually. There are so many little details

Andrew does a great job explaining all this and more

https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/

Package management challenges with Andrew Nesbitt

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren’t very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it’s so hard to create a new ecosystem as well as some of the reasons we don’t see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems.

Open Source Security
Josh Bressers1d ago
Andrew Nesbitt1d ago

The Cathedral and the Catacombs - Stretching a metaphor deep into the floor.

https://nesbitt.io/2026/04/06/the-cathedral-and-the-catacombs.html

The Cathedral and the Catacombs

Stretching a metaphor deep into the floor.

Andrew Nesbitt
Josh Bressers1d ago
daniel:// stenberg://2d ago

If you want to see some quality AI security reports, that often identify a bug we don't think have security properties, remember that we disclose every report once closed and this is now quite a few every week:

https://hackerone.com/curl/hacktivity?type=team

HackerOne

HackerOne
Josh Bressers2d ago
Christine Hall2d ago
We are spirits, living in an alpha world: Pidgin 3.0 Messaging Client Moves from Experimental Build to Alpha https://linuxiac.com/pidgin-3-0-messaging-client-moves-from-experimental-build-to-alpha/
Pidgin 3.0 Messaging Client Moves from Experimental Build to Alpha

Pidgin 3.0 has entered the alpha stage with version 2.95, featuring updated account settings and ongoing development of Zulip protocol support.

Linuxiac
Josh Bressers4d ago
Simon Willison4d ago
Warning to open source maintainers: the Axios supply chain attack started with some
very sophisticated social engineering targeted at one of their developers https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/
The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved …

Simon Willison’s Weblog
Josh BressersMar 31
Ian Campbell 🏴Mar 31

Axios supply chain attack is interesting, partly because I'm not seeing NEARLY the traffic I'd expect to the C2 domain.

I expect some absolute chad caught it early and negotiated a very effective sinkhole.

Josh BressersMar 31
yossarian (1.3.6.1.4.1.55738)Mar 31

I clearly need to start a wall of “trusted publishing would have prevented this” incidents

Edit: but not axios, maybe! Looks like that one may be full maintainer account compromise.