New vulnerabilities are exploited within 1 day on average. This is a crazy time for cybersecurity, but we also need to think about how we can utilize this at our advantage as defenders! Here's what I think: dev.to/mikik/vulner...
Credits to zerodayclock.com for the screenshot
#infosec
I'm honestly surprised that I'm not seeing companies showing (or bragging) about what their tools can do against these attacks - I truly would want to see it!
I'm not seeing much about SCA vendors (e.g. Socket.dev, Snyk) on how well they can protect against supply-chain attacks. I wonder how well these tools actually catch unknown malware (before it's actually found by humans)
Anyone has real-world insights or comparisons?
#supplychain #cybersecurity
I published a blog post that lists recommendations and outlines concrete steps that open source projects can (should?) take to reduce the risk of supply chain breaches similar to the recent Trivy incident: mikael.barbero.tech/blog/post/20...
Exciting news for projects on GitHub looking to use the private vulnerability reporting / security advisories features:
“We're working toward enabling fine-grained permissions for security advisories - create, read, edit, and close/accept/publish”
github.com/orgs/communi...
Would love to hear that talk! I'm assuming it's not public yet? (I can't find by Googling the name of it!)
While not specifically about women, I also really love this video from you: www.youtube.com/watch?v=wDHl... - I keep sharing it whenever someone looks like they may need it!
This is such an amazing video! Thank you for it!
[trigger warning] I still remember being worried to death about my friends in high school and Uni. So often they had horror stories - I truly can't wait for the day where it's no longer a concern/issue
It really sucks. One thing is very important to remember: everyone must keep doing their part for making this world better for women. Never give up, there's always something you can do! Do what you can!
I'm baffled that in 2026 we need to argue that when reporting a vulnerability you shouldn't just click submit and forget, and actually try to help the maintainer when they have questions
Basically: "hey, here's my AI's essay that I didn't verify nor read, have fun, see ya!"
#cybersecurity #oss
By the way @sethmlarson.dev, I'm curious, did you try implementing that policy anywhere yet?
Policies likely should also include something like "Keep it short" or "Keep it brief" - but that's really mainly about AI.
What Daniel Stenberg said at FOSDEM sums it well:
- Before AI: tell me more!
- Now: tell me less!
Thanks for the post! If you are interested, we took some inspiration at github.com/saleor/.gith...
Most tricky is asking for mutual respect & respecting everyone's time. I leaned towards "no low effort", no spam, and requiring reporters to talk to us (no click and forget)
Will see what happens.
The speed at which AI is evolving can be scary for security teams and this can be discouraging especially if you are in a startup.
I came to this conclusion: don't worry about it. Don't overthink it and use your two best tools: talk and governance.
dev.to/mikik/contro...
#cybersecurity #ai
Respecting maintainer time should be in security policies. Even better: you don't even have to mention the elephant in the room!
sethmlarson.dev/respecting-m...
#opensource #oss #security
Happy to see --trace-ascii being put there! Such an amazing feature <3
Earlier I sarcastically said "I can't wait for the Clawdbot botnet" - I really didn't expect to see that blog post
censys.com/blog/opencla...
Oh wow! Seems like PNPM now disables hooks by default, nice! Kudos to them for taking that decision! 👏
#cybersecurty #supplychain
[6/6] I'm curious about what others think. I think it would be a great OSS project (and potentially it could join OSSF)
ofc it will never be as good as Socket or Snyk, but it should still be a decent line of defense. A lot will integrate with existing tools, e.g., Guarddog
[5/6] I have a very solid (and exciting) vision for it and clear & measurable goals written down, and a roadmap. Most things are ready, if all goes well a MVP could likely be done within weeks
Biggest concern: it flops or goals aren't being achieved
I'm most excited about: modularity (→ plugins)
[4/6] Security shouldn't be a blocker for growth, it should be affordable without scarifying quality and visibility, especially when supply chain attacks keep going up: we need powerful tools to be accessible to everyone
[3/6] Free versions of these products are too basic and create a huge gap in observability, auditing, and capabilities
On top, they are fairly vendor-locked as they are companies trying to sell security products (⇒ for obvious reasons they don't integrate w/ tools from their competition)
[2/6] Target audience: small businesses (non-Enterprise) who need visibility (SIEM) & need to protect their developers
There are paid tools on the market for this: Socket, Sonar, Vera Code (and they look amazing!) while their price is right, they cost an arm for small businesses.
[1/6] Sanity check before I start spending months on this: do you think this is a good or a bad idea?
I'm planning on creating a OSS package firewall (pnpm, Poetry, uv, etc.)
#cybersecurity #supplychain
Recording: www.youtube.com/watch?v=TK5T...
We disclosed two new RSC vulnerabilities:
- Denial of Service (High): CVE-2025-55184
- Source Code Exposure (Medium): CVE-2025-55183
Patches are available now, please update immediately.
react.dev/blog/2025/12...
That post was an unexpected (pleasant) rabbithole:
- mcp-scan uses invariant
- Invariant is a tool to write rules (tiny bit similar to Semgrep) to scan MCPs
- Can create rules that detect PIIs
- PIIs are found using the PyPI project presidio
Full of TILs, and tons of neat to play with! Thanks!
Just read Sysdig's EtherRAT analysis and… wow! North Korea is now running a RAT with a C2 through Ethereum smart contracts. And not just that, but also with a 9-RPC consensus layer for resiliency.
Decentralized, resilient, and honestly very clever.
www.sysdig.com/blog/etherra...
#CyberSecurity
The main danger though is being unable to fix CVEs without fixing breaking changes first (rushing breaking change fixes because of a CVE are one of the worst thing to do), but urllib3 has a good track record: v1 didn't reach EOL for a very long time thus users have ample time to migrate
I think the answer lies in the last paragraph of your article: force the change, otherwise a large portion of users will never do the change