Security News

Sonatype has found a massive year-over-year increase in cyberattacks aimed at open source projects. To capitalize on weaknesses in upstream open source ecosystems, cybercriminals continue to target organizations through open source repositories.

Code Intelligence has open-sourced a new security tool, CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix vulnerabilities at scale. Code Intelligence's new open-source tool aims to tackle these challenges by making fuzz testing usable for all developers.

350,000 open source projects at risk from Python vulnerability. Cybersecurity company Trellix announced Wednesday that a known Python vulnerability puts 350,000 open-source projects and the applications that use them at risk of device take over or malicious code execution.

Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects.The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.

Anaconda released its annual 2022 State of Data Science report, revealing the widespread trends, opportunities, and perceived blockers facing the data science, machine learning, and artificial intelligence industries. While open-source software was created by and for developers, it is now an integral part of commercial software development and the backbone for continuous enterprise innovation.

Oxeye security researchers have uncovered several new high severity variants of the IDOR vulnerabilities in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. Harbor is an open-source cloud native registry project that stores, signs, and scans content.

About 40 percent of industry professionals say their organizations have reduced their usage of open source software due to concerns about security, according to a survey conducted by data science firm Anaconda. About 33 percent of commercial respondents said they had not scaled back on open source, 7 percent said they had increased usage, and 20 percent said they weren't sure.

Google's open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut. The group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a bit more secure.

The source code of a remote access trojan dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment for Windows Android, and even individual websites like PayPal.

Google wants to improve the security of its open source projects and those projects' third-party dependencies by offering rewards for bugs found in them. Google offers rewards for bugs in its open source software.