In March 2026, the North Korean hacker group UNC1069 compromised the popular JavaScript HTTP client Axios by injecting a remote‑access trojan into the npm package, exposing millions of developers to a sophisticated supply‑chain attack that lasted nearly three hours before detection.
Microsoft, Google and the OpenSSF have pledged $12.5 million to the Linux Foundation, aiming to shift open‑source security from volunteer‑driven maintenance to a systematic, corporate‑backed defense that safeguards critical infrastructure while balancing community autonomy.
OpenClaw, an open‑source AI agent platform, surged in popularity, prompting Google to restrict its Antigravity services after abusive token usage, while its creator Peter Steinberger shares how AI‑driven coding, rapid prototyping, and security concerns shaped the project's explosive growth.
Security researchers at ReversingLabs have uncovered a coordinated campaign by the “Banana Squad” that injects malicious Python toolkits into hundreds of seemingly legitimate open‑source GitHub repositories, using domain squatting, repository impersonation, and hidden code obfuscation to steal sensitive data and evade detection.
Sonatype’s Q1 2025 Open‑Source Malware Index identified 17,954 malicious packages—including hijacked npm crypto modules, a fake Truffle for VS Code extension, and counterfeit Solana packages—revealing that 56% of these components are associated with data breaches, a sharp rise from the 26% reported in Q4 2024, and highlighting the growing prevalence of complex, threat‑laden malware such as droppers and code‑injection threats.
A security researcher uncovered a sophisticated supply‑chain attack where a malicious contributor infiltrated the open‑source xz project, inserted a hidden backdoor into versions 5.6.0 and 5.6.1, and leveraged it to compromise systems that rely on xz via OpenSSH.
A recent security analysis reveals how a malicious contributor infiltrated the open‑source xz compression tool over two and a half years, inserted a backdoor using IFUNC hooks to compromise OpenSSH, and was eventually uncovered due to a CPU‑spike bug, highlighting severe risks for Linux and macOS systems.
Sonatype’s 2023 software supply chain report shows a 29% average year‑over‑year growth in open‑source projects across major ecosystems, a sharp slowdown in download growth, a doubling of malicious packages, and a rapid rise in AI/ML tool adoption among DevOps and SecOps teams.
The article reports on Google’s launch of Duet AI in Workspace, a Chinese firm’s apology over a VS Code‑based IDE, NCSC’s caution about LLMs, IBM’s generative‑AI tool for mainframe modernization, and OpenSSF’s new open‑source security manifesto.
This article explains how open‑source technologies drive digital transformation in finance, outlines the regulatory "Opinions" guiding secure, compliant use, and details a comprehensive open‑source security management framework—including lifecycle standards, a dedicated platform, DevOps integration, SBOM adoption, and continuous risk mitigation.
Google’s open‑source OSV‑Scanner provides a powerful front‑end to the OSV vulnerability database, allowing developers to scan directories, SBOMs, and Docker images for known security issues across 16 ecosystems, outputting results in JSON or table format and supporting ignore rules for specific vulnerabilities.
A malicious update to the npm package node‑ipc, used by vue‑cli, injected anti‑war code that creates unwanted files, overwrites system directories for Russian and Belarusian IPs, and sparked a community response that led to a patched vue‑cli release and detailed remediation steps.
Google’s open‑source security tool, OpenSSF Scorecards, now at version 2.0, automates risk assessment for thousands of projects by providing pass/fail checks, binary‑artifact analysis, dependency verification, and CI/CD token controls, helping organizations identify vulnerable code, malicious contributors, and unsafe dependencies.
This article introduces ten essential open‑source security tools—including Nessus, Snort, Nagios, Ettercap, Infection Monkey, Delta, Cuckoo Sandbox, The Sleuth Kit, Lynis, and Certbot—detailing their main features, licensing models, and typical use cases for vulnerability scanning, intrusion detection, network monitoring, and forensic analysis.
The article explores the concept of trustworthy software, outlines its five key dimensions—safety, reliability, availability, security, and resilience—and describes how Huawei Cloud DevCloud is applying these principles through its open‑source mirror services and secure development practices.
