Browsing Tag
Open Source Security
7 posts
Open source software security and dependency risk
curl 8.21.0 Fixes 25-Year-Old libcurl mTLS Bug
curl 8.21.0 fixes 18 security flaws, including CVE-2026-8932, a 25-year-old libcurl mTLS connection-reuse bug. The practical risk is in applications that embed libcurl and change client certificate settings while reusing connection pools.
OpenAI Daybreak Turns AI Bug Finding Into a Patching Race
OpenAI expanded Daybreak with Patch the Planet, an updated GPT-5.5-Cyber model, Codex Security workflows, and a partner program for vetted security vendors. The move shifts the AI cybersecurity race from finding more bugs to validating, patching, testing, and landing fixes before maintainers are overwhelmed.
Mastra npm Compromise Turns AI Agent Frameworks Into a Supply-Chain Target
Attackers republished more than 140 Mastra npm packages with a poisoned easy-day-js dependency, exposing AI agent developers to an install-time remote payload. Teams that installed affected @mastra packages on June 17 should treat developer machines and CI runners as compromised.
curl’s July Security Pause Shows AI Bug Reports Have a Human Bottleneck
The curl project will pause public vulnerability reports during July 2026 after months of AI-assisted security-report pressure. The break exposes a practical risk for companies that depend on critical open source software: finding bugs is getting faster than triage, patching, and maintainer capacity.
The Arch AUR Malware Attack Is a Linux Supply Chain Warning
A June 2026 Arch User Repository compromise hit hundreds of community packages with credential-stealing Linux malware. Arch and Arch-based users should treat recent AUR builds as a security event, not a routine package cleanup.
npm 12 Will Make Install Scripts Opt-In by Default
npm 12 is expected in July 2026 with stricter install defaults: dependency lifecycle scripts, Git dependencies, and remote tarballs will no longer run or resolve automatically without approval.
AI Coding Tools Are Making Package Security Harder
Microsoft’s npm findings show why AI coding agents need stricter dependency gates: install scripts, registry routing, lockfiles, CI secrets, and package provenance now sit inside the agent workflow.