A supply-chain campaign tied to PolinRider shows how package ecosystems can turn routine development work into a high-risk execution path.
IBM and Red Hat are reportedly assigning 20,000 engineers to a new service tied to Anthropic-linked findings, a sign that software security is shifting from detection to industrial-scale remediation.
Decades-old Bash tricks are being used to test whether open-source AI coding agents can be pushed past their safety checks and into dangerous repository-driven workflows.
A public extortion listing tied to Settra raises the possibility of document and employee-data exposure, but the truncated post does not confirm a breach or the full scope.
Robert Heel’s textural sound project stands out less for drama than for what it represents: a small, open creative tool built around experimentation, variety, and public code.
A Unit 42-tracked intrusion cluster blended open-source tooling with a custom .NET backdoor, raising the stakes for governments and energy operators that depend on exposed web applications.
A package-chain campaign tied to multiple malware labels is testing how far developer tooling can be pushed before ordinary dependency updates become security events.
A peer-reviewed audit of open-source offensive AI tools points to a blunt risk: in some configurations, the system meant to test security can become the thing that puts the operator at risk.
Daybreak brings together Codex Security, GPT-5.5-Cyber, and Patch the Planet to move AI from finding flaws toward verifying and repairing them in controlled settings.
Four flaws in Dify reportedly exposed weaknesses in tenant isolation, turning routine AI platform features into possible cross-workspace disclosure paths.
A reported supply-chain issue across open-source ecosystems shows how build automation can become a bridge from ordinary code to code execution and credential theft.
Six newly identified vulnerabilities, including two classified as critical, highlight how weaknesses in a threat-intelligence platform can ripple through detection, sharing, and trust.
A large repository-abuse campaign puts a hard truth in focus: on code-sharing platforms, reputation can be weaponized as easily as code.
The upcoming Blender release is framed as a creative upgrade, but simulation changes can also ripple through file compatibility, testing, and production discipline in 3D workflows.
GitHub’s handling of two vulnerability reports now sits at the center of a broader warning about how package trust, maintainer credentials, and install-time automation can collide in open-source ecosystems.
A coalition of more than two dozen organizations is building a shared platform to triage and fix OSS vulnerabilities before patches are released, a sign that coordinated defense is becoming part of the supply chain itself.
The bank is building internal AI for customer intelligence and office automation, but the real story is how data control, model choice, and cyber discipline now sit at the center of the design.
A new roundup on Software Composition Analysis points to a larger truth in modern security: when applications depend on open-source code, knowing what is inside the build is a defensive necessity, not a luxury.
LIPS is an open-source sip-and-puff interface that turns a simple breath-based motion into computer input, offering another route into digital work for people with mobility limitations.
A high-severity flaw in SQLite is a reminder that some of the most consequential security problems live inside libraries quietly shipped by other software, not in obvious internet-facing servers.