AI's not going to kill open source code security
Cal.com considers AGPL a license to drill, but not everyone feels that way
Open-source software enables code review and reuse, but known vulnerabilities and unmaintained dependencies can create cybersecurity risks.
Search across headline titles and summaries.
Background for this topic.
Open source is software whose source code is available under a license that permits use, inspection, modification, and redistribution. It may be developed by a community, an organization, or a small group of maintainers; “open” does not guarantee that the code is actively reviewed, supported, or secure.
For security teams, the main concerns are vulnerabilities in dependencies and the software supply chain: a maintainer account, release process, or package can be compromised, while an unmaintained component may retain known flaws. Public code can enable review and faster fixes, but visibility alone is not a control. Maintain an inventory or SBOM of open-source components, pin and verify versions or signatures where possible, monitor vulnerability advisories, and apply updates through a controlled process.
Cal.com considers AGPL a license to drill, but not everyone feels that way
Cal.com considers AGPL a license to drill, but not everyone feels that way Opinion Cal.com has closed its commercial codebase, abandoning years of AGPL-3.0 licensing in a move that has alarmed the developer community that helped build it and sent ripples through the broader open source world.…
Continuous Integration Has Its DownsidesAs supply-chain attacks against widely-used, open-source software repositories continue, experts are urging developers to not only rely on code integrity tools, but also to introduce a delay before merging new repos, since unfolding attacks tend to get spotted in days, if not hours or minutes.
OpenAI's first security hire, Ari Herbert-Voss, thinks more automated bug finding will improve security without costing jobs
OpenAI's first security hire, Ari Herbert-Voss, thinks more automated bug finding will improve security without costing jobs Black Hat Asia Open source models can find bugs as effectively as Anthropic's Mythos, according to Ari Herbert-Voss, CEO of AI-powered security startup RunSybil and OpenAI's first security hire.…
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitation in the wild less than 13 hours after its public disclosure
Recent Package Compromises Pushed Software Component Trust to the Security AgendaCloudsmith raised a $72 million Series C led by TCV to expand policy enforcement, auditability and real-time package risk analysis as CISOs focus more closely on software supply-chain threats tied to open-source dependencies, AI-assisted development and compromised artifacts.
Plus, the payload references 'TeamPCP/LiteLLM method' Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month.…
Our research on Void Dokkaebi’s operations uncovered a campaign that turns infected developer repositories into malware delivery channels. By spreading through trusted workflows, organizational codebases, and open-source projects, the threat can scale from a single compromise to a broader supply chain risk.
A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems
Blames outfit called Context.ai, which reckons an agentic OAuth tangle caused the incident Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess.…