All CosmicBytez Labs articles tagged #Open Source, across news, security advisories, how-to guides, and projects.
An open-source, AI-driven system called ScamBuster adopts victim personas to actively engage with phishing attackers — gathering intelligence on criminal operations while consuming the scammer's time and attention.
The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer...
Flipper Devices is downsizing its internal development team but confirms that Flipper Zero firmware development will continue, with greater reliance on...
A roundup of security stories you may have missed: an Anonymous-linked Canadian hacker receives a prison sentence, a researcher drops zero-days in open...
IBM and Red Hat announced Project Lightwell — a $5 billion commitment to secure open-source supply chains using Anthropic's Mythos AI model, which found...
Aggregate, deduplicate, and track security findings from 100+ scanners in a unified dashboard. Build a production-grade vulnerability management pipeline...
Security researchers have found that classic Bash shell techniques — some dating back decades — can bypass the safeguards in most open-source AI coding...
The Linux Foundation has launched Akrites, a new open source security initiative designed to give the community standardized tools and channels to report,...
The Open Source Sustainability Initiative launches to help enterprises manage and secure aging open source projects, addressing the growing compliance and...
Curl 8.21.0 patches 18 vulnerabilities including a 25-year-old mTLS connection reuse flaw (CVE-2026-8932) that could allow authentication bypass. With...
Security researchers have disclosed a class of exploitable flaws in CI/CD pipeline configurations that allow unauthenticated attackers to take full...
TeamPCP's remarkable success attacking open-source software was no accident — it exploited a cultural vulnerability baked into modern development: the...
Deploy Shuffle, the open-source SOAR platform, to automate security workflows and orchestrate your homelab tools — from Wazuh alerts to enrichment lookups...
OWASP has launched CVE Lite CLI, a free open-source command line tool that scans software projects in seconds to identify packages with known CVE…
The European Commission has unveiled a sweeping technology sovereignty package combining a Chips Act 2.0, a Cloud and AI Development Act (CADA), an Open…
Researchers have uncovered a large-scale SEO poisoning campaign that uses fake open-source and freeware project sites to funnel victims through a Traffic…
IBM and Red Hat unveil Project Lightwell, a $5B commitment to securing open-source supply chains by fixing vulnerabilities without breaking production.
Apple has open-sourced its implementations of two NIST-standardized quantum-secure algorithms — ML-KEM and ML-DSA — including formal verification tooling that.
CrowdStrike, Google, and Shadowserver dismantled the Glassworm botnet, stripping operators of infrastructure used to inject malware into OSS packages.
A Gitea flaw lets unauthenticated remote attackers pull private container images from self-hosted deployments with no account or credentials required.
CrowdStrike, Google, and Shadowserver simultaneously disrupted GlassWorm C2 channels, ending a supply-chain campaign targeting developers via packages.
DockSec, an OWASP incubator project, combines multiple container security scanners with AI-generated plain-English remediation guidance and exact Dockerfile.
TeamPCP's Shai-Hulud worm inflicted serious damage on the open source ecosystem — but a close look at their operations raises the question of whether their.
GitHub has rolled out new security controls for npm including staged publishing with 2FA approval requirements and package install policies, giving...
Supply chain security startup Socket has raised $60 million in a new funding round, valuing the company at $1 billion. The capital will expand Socket's...
The public release of the Shai-Hulud worm source code by TeamPCP has triggered a wave of copycat variants appearing across the npm ecosystem. Security...
Threat actors began exploiting CVE-2026-44338, a missing authentication flaw in the PraisonAI multi-agent orchestration framework, within just four hours...
Hundreds of npm packages in the TanStack open source ecosystem have been infected by a fresh wave of Mini Shai-Hulud worm activity from TeamPCP — the same...
The official website for JDownloader, one of the most widely-used open-source download managers, was compromised to distribute malicious Windows and Linux...
Cisco has released a new open source toolkit designed to track and verify the provenance of AI models throughout the supply chain, addressing risks from...
Threat actors are actively exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptomining...
A critical SQL injection vulnerability in Saltcorn's mobile-sync routes allows any authenticated low-privilege user with read access to a single table to...
A critical improper access control vulnerability in EspoCRM's built-in formula scripting engine allows authenticated administrators to overwrite the...
A critical pre-authorization remote code execution vulnerability in Marimo, the open-source reactive Python notebook, allows unauthenticated attackers to...
A critical SQL injection vulnerability in Jellystat, the open-source statistics app for Jellyfin, allows authenticated users to execute arbitrary SQL...
A critical path traversal vulnerability in Froxlor's Customers.update and Admins.update API endpoints allows authenticated low-privilege users to traverse...
A critical PHP code injection vulnerability in Froxlor allows an admin with change_serversettings permission to inject arbitrary PHP code via unescaped...
A high-severity authorization bypass in SiYuan versions 3.6.3 and below allows attackers with RoleReader publish-service tokens to call a privileged...
Microsoft has suspended developer accounts used to maintain several prominent open-source projects without prior notice or a quick reinstatement path,...
The rebuilt Chainguard Factory platform adds deeper security automation designed to continuously reconcile open source artifacts across containers,...
Anthropic accidentally published the source code for Claude Code — its normally closed-source AI coding assistant — inside an npm package. The company...
A critical chain of vulnerabilities in WWBN AVideo's CloneSite plugin allows fully unauthenticated attackers to achieve remote code execution via key...
Betterleaks is a new open-source tool that scans directories, files, and git repositories for valid secrets — and validates them against live APIs before...
Step-by-step guide to deploying Wazuh as an open-source SIEM and XDR platform. Covers server installation, agent deployment across Windows and Linux,...
A compromised npm publish token was used to inject a malicious postinstall script into Cline CLI version 2.3.0 on February 17, 2026, silently installing...
Step-by-step project guide for building a functional SIEM using Wazuh, Elastic, and Grafana. Perfect for homelabs and small businesses.
Security researchers have discovered malicious code injected into several popular NPM packages with millions of weekly downloads. Developers urged to...