#OpenSourceSecurity

Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

by

December 6, 2024 at 07:18AM Cybersecurity researchers uncovered multiple vulnerabilities in open-source machine learning tools like MLflow, H2O, and PyTorch, which can enable code execution. Detected by JFrog, these flaws potentially allow attackers to access sensitive information and perform lateral movements within organizations, highlighting the need for caution with untrusted ML models. ### Meeting Takeaways … Read more

Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

by

November 28, 2024 at 05:06AM A malware campaign exploiting the Godot Engine has infected over 17,000 systems since June 2024, using crafted GDScript code. The attack employs 200+ bogus GitHub accounts to distribute GodLoader, targeting Windows and adaptable to other OS. This underscores the need for users to download from trusted sources. **Meeting Takeaways (Nov … Read more

PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries

by

November 22, 2024 at 01:58AM Researchers found two malicious packages on PyPI, impersonating AI models to deploy the JarkaStealer malware. Uploaded in November 2023, the packages had 1,748 and 1,826 downloads, respectively. They revealed risks of supply chain attacks, emphasizing caution when using open-source components in development. The packages are now unavailable for download. ### … Read more

Google’s AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

by

November 21, 2024 at 03:13AM Google’s AI-powered fuzzing tool, OSS-Fuzz, has uncovered 26 vulnerabilities, including a medium-severity flaw in OpenSSL (CVE-2024-9143), indicating significant advancements in automated vulnerability detection. The tool enhances code coverage and is part of Google’s transition to memory-safe languages like Rust, alongside new security checks in C++. **Meeting Takeaways – Nov 21, … Read more

Google’s AI bug hunters sniff out two dozen-plus code gremlins that humans missed

by

November 20, 2024 at 12:09PM Google’s OSS-Fuzz project has identified 26 vulnerabilities, including a critical flaw in OpenSSL. Utilizing AI-driven fuzzing, the tool finds bugs unlikely to be detected by humans. OSS-Fuzz aims to automate the fuzzing workflow, enhancing code testing with large language models to improve security against potential threats. ### Meeting Takeaways: 1. … Read more

Deepen your knowledge of Linux security

by

November 18, 2024 at 09:51AM On December 10th at 10am PT/1pm ET, Red Hat will host the State of Linux Security Symposium 2024, offering IT professionals insights on securing Linux environments. Featuring six sessions, topics include security practices, supply chain safeguards, and RHEL benefits. Register now to enhance your Linux security knowledge. ### Meeting Notes … Read more

Lessons From OSC&R on Protecting the Software Supply Chain

by

November 15, 2024 at 09:44AM Today’s software development, combining open source, third-party, and custom code, faces heightened vulnerabilities, as evidenced by notable breaches. A recent report highlights that 95% of organizations encounter serious risks, emphasizing the need for proactive, multilayered security strategies throughout the development life cycle to mitigate these ongoing threats effectively. ### Meeting … Read more

Open Source Security Incidents Aren’t Going Away

by

November 11, 2024 at 10:11AM Open source software (OSS) plays a crucial role in technology, yet increasing reliance introduces significant security risks. Organizations benefiting from OSS must ensure robust security practices by investing in skilled engineers. Effective communication, proactive approaches, and continuous vigilance are essential. This need intensifies with the rise of open source AI … Read more

Malicious NPM Packages Target Roblox Users with Data-Stealing Malware

by

November 8, 2024 at 07:51AM A new campaign targets the npm package repository with malicious JavaScript libraries that infect Roblox users with stealer malware. The attack exploits trust in open-source ecosystems using deceptive packages and public platforms for operations. Developers are urged to verify package names and scrutinize source code to enhance security practices. ### … Read more

Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages

by

November 5, 2024 at 01:45AM A campaign targeting npm developers employs hundreds of typosquat packages to install cross-platform malware, utilizing Ethereum smart contracts for command-and-control. This approach complicates detection and takedown efforts, highlighting vulnerabilities in the open-source ecosystem. The attacker may be Russian-speaking, emphasizing the need for developer vigilance when downloading packages. ### Meeting Takeaways … Read more