Security News

Open source vulnerabilities add to security debt
2022-12-19 05:30

The number of open source vulnerabilities that Mend identified and added to its vulnerability database in the first nine months of 2022 was 33 percent greater than the first nine months of 2021, reflecting both the growth in the number of published open-source packages and the acceleration of vulnerabilities. The report's representative sampling through January to September 2022 of approximately 1,000 North American companies found that only 13 percent of vulnerabilities seen were remediated, compared with 40 percent remediated by those using modern application security best practices.

Hackers Bombard Open Source Repositories with Over 144,000 Malicious Packages
2022-12-15 09:02

NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors. "The packages were part of a new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns," researchers from Checkmarx and Illustria said in a report published Wednesday.

Open source code for commercial software applications is ubiquitous, but so is the risk
2022-12-14 22:14

The weakness was just one recent example of a backdoor in open source software for attackers to sneak malicious code onto developer and end-user systems. If experts identify the software supply as a key security challenge for 2023, the Log4j phenomenon - not to mention the much-better known SolarWinds incursion in 2019 - shed light on how protecting the process could be difficult: A vast amount of commercial software is not written in-house.

OSV-Scanner: A free vulnerability scanner for open-source software
2022-12-14 14:12

After releasing the Open Source Vulnerabilities database in February, Google has launched the OSV-Scanner, a free command line vulnerability scanner that open source developers can use to check for vulnerabilities in their projects' dependencies. Finding vulnerabilities in open-source dependencies.

Open-source repositories flooded by 144,000 phishing packages
2022-12-14 14:00

Unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet. The large-scale attack resulted from automation, as the packages were uploaded from accounts using a particular naming scheme, featured similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 phishing pages.

Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities
2022-12-13 18:22

Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects. The Go-based tool, powered by the Open Source Vulnerabilities database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News.

Research reveals where 95% of open source vulnerabilities lie
2022-12-09 05:30

New research from Endor Labs offers a view into the rampant but often unmonitored use of existing open-source software in application development and the dangers arising from this common practice. As just one example, the research reveals that 95% of all vulnerabilities are found in transitive dependencies - open-source code packages that developers do not select, but are indirectly pulled into projects.

Open-source tool for security engineers helps automate access reviews
2022-12-07 05:30

ConductorOne open-sourced their identity connectors in a project called Baton, available on GitHub. Each connector gives developers the ability to extract, normalize, and interact with workforce...

Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware
2022-12-06 06:11

A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its "Weak architecture and programming." Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a ".

Open source software host Fosshost shutting down as CEO unreachable
2022-12-04 07:02

Open source software hosting and cloud computing provider Fosshost will no longer be providing services as it reaches end of life. UK-based non-profit Fosshost has been providing services to several high profile open source projects like GNOME, Armbian, Debian and Free Software Foundation Europe completely free of charge.