The Five Horsemen of the AI Code Apocalypse: Why Your Current Open Source Software Strategy is a… The era of human scale development is over. In 2026, the velocity of synthetic code generation has turned the software supply chain into a…

5 reasons your open source software strategy is a personal liability in 2026.
AI code volume broke the scan-and-pray model. Here's what's left exposed.

buff.ly/0QNitoA

#OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity

The Illusion of the Clean Perimeter The modern software development lifecycle is no longer operating at human scale.

AI pulls open source dependencies faster than humans can vet them. The perimeter was never the problem.

The ingredients were.

We broke down where application layer security actually stands in 2026.

substack.com/home/post/p-...

#OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=204PIweyiTA

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=204PIweyiTA

North Korea’s Contagious Interview Campaign Spreads Across 5... Contagious Interview published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist that impersonated legitimate developer tooling and acted as staged loaders to fetch and execute second-stage payloads. The cluster includes a Windows-heavy variant (license-utils-kit) with full RAT capabilities and leverages infrastructure such as apachelicense[.]vercel[.]app and 66[.]45[.]225[.]94 for delivery. #ContagiousInterview #license-utils-kit

North Korean threat actors distributed over 1,000 malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, using staged loaders and RAT capabilities to target open-source ecosystems. #NorthKorea #SupplyChain #OpenSourceSecurity

Project Glasswing Has Big Tech United. Where's Cloudflare? | Squeakworks Anthropic's Claude Mythos found thousands of zero-days. Apple, Microsoft, Google joined the coalition. One major name is missing. Here's why that matters.

Project Glasswing Has Big Tech United on Security. One Name Is Missing.

#ProjectGlasswing #Cybersecurity #AI #Anthropic #ClaudeMythos #Cloudflare
#OpenSourceSecurity #ZeroDay #InfoSec #AIethics #TechNews

squeakworks.com/blog/project...

North Korean Hackers Target High-Profile Node.js Maintainers North Korean threat actor UNC1069 ran a targeted social engineering campaign against multiple high-profile Node.js maintainers that resulted in two malicious package versions being briefly published to the NPM registry and likely installed by millions. Attackers used staged Slack and Teams meetings, built convincing infrastructure, and delivered a RAT via a...

North Korean threat actor UNC1069 executed a social engineering campaign targeting Node.js maintainers, resulting in two malicious packages briefly published to NPM and likely downloaded by millions. #NorthKorea #NodeJS #OpenSourceSecurity

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=diRrt9HJRZU

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=diRrt9HJRZU

Top npm package backdoored to drop dirty RAT on dev machines Updated: Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios

A backdoored Axios npm package delivered a RAT - another reminder that even trusted libraries can turn into attack vectors. Verify before you trust. 📦⚠️ #OpenSourceSecurity #SupplyChainRisk

AI Supply Chain Security: Why Trust Is Your Biggest Vulnerability
youtu.be/RrzJPOGjI4M #CyberSecurity #AISecurity #ArtificialIntelligence #MachineLearning #SupplyChainSecurity #AIThreats #Infosec #DataSecurity #OpenSourceSecurity #CloudSecurity #RiskManagement #AIGovernance

MCP and Agent security with Luke Hinds Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We ...

@josh.bressers.name put it well: MCP is moving faster than anyone can keep up with.
@lukehinds.bsky.social joined #OpenSourceSecurity to dig into why agent security is structurally hard and what kernel-level sandboxing nono.sh actually solves.
Episode: opensourcesecurity.io/2026/2026-03...

Original post on cyberplace.social

Airlock v0.3.0: command modules are now opt-in.

Airlock already shipped hardened deny rules per tool and scoped each container via profiles. Now there's a third layer: no command loads unless the operator enables it.

SSH is worth calling out. It's remote code execution with real keys. If you […]

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=O5ewVqmClYo

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=O5ewVqmClYo

Alpha‑Omega teams up with OpenSSF to boost open‑source security against AI‑driven attacks. New funding means faster vulnerability detection for maintainers. Curious how Google DeepMind fits in? Dive in! #OpenSourceSecurity #AIThreats #OpenSSF

🔗 aidailypost.com/news/alpha-o...

MCP and Agent security with Luke Hinds Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We ...

I had a chat on #OpenSourceSecurity with @lukehinds.bsky.social about his project nono as well as MCP security

nono is a sandbox for containing all these tools which is an incredibly difficult problem to solve. The things we see skills and MCP doing are moving forward faster than anyone can keep up

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=0GtI0pEWpzI

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=0GtI0pEWpzI

📦 Installing a single package can introduce dozens of dependencies.

Attackers exploit this through typosquatting, malicious packages, and compromised maintainers.

ENISA’s advisory highlights why dependency visibility is becoming critical.

#CyberSecurity #SoftwareSupplyChain #OpenSourceSecurity

The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statemen...

This week on #OpenSourceSecurity I had a chat with Paul Kehrer and Alex Gaynor about the statement they published discussing the challenges posed by modern OpenSSL for the python cryptography module

A man with glasses and a white patterned shirt is smiling with his hand near his chin. He has a bald head and light skin.

Marcin Wyszynski warns that open source isn’t the feel‑good story many think. It’s a survival strategy.
Read why teams betting on “free” tools need to rethink risk now:
spr.ly/63329h4jPX

#FoundryExpert #OpenSourceSecurity #SoftwareSupplyChain

Rust coreutils with Sylvestre Ledru Josh talks to Sylvestre Ledru about the Rust coreutils project. We’ve been using GNU coreutils for decades now, and the goal of Rust coreutils is to rewrite these utilities in Rust. The primary reason...

I had a chat on #OpenSourceSecurity with @sylvestreledru.bsky.social about his Rust coreutils work

Replacing coreutils with Rust is one of those things that I love as a way to improve security but also keep a project fresh in the modern age

I learned a ton from this disucssion

⚠️ El desarrollo con IA lleva el riesgo del código abierto al límite

La IA acelera el desarrollo, pero multiplica los riesgos de seguridad

devops.com/ai-fueled-development-pu...

#OpenSourceSecurity #BlackDuckOSSRA #VulnerabilityManagement #RoxsRoss

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=FazSzP_Kty4

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=FazSzP_Kty4

Full breakdown in this week's Securing the Backbone. Link below. 👇

www.linkedin.com/pulse/securi...

#DevSecOps #SoftwareSupplyChain #OpenSourceSecurity #CyberSecurity

Goose and the Agentic AI Foundation with Brad Axen Josh chats with Brad Axen from Block about his creation Goose as well as the Agentic AI Foundation (AAIF). I am quite skeptical of many AI claims, but Brad has a very pragmatic view about where things...

This week on #OpenSourceSecurity I chat with Brad Axen about Goose and the Agentic AI Foundation

I'm often skeptical about AI claims, but I do approve the foundation model and seeing Goose donated to it

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=-Unu5gZ8Cxc

We're LIVE! Join the Anchore Open Source team now to discuss Syft, Grype, and the latest in #OpenSourceSecurity. Ask your questions! https://www.youtube.com/watch?v=-Unu5gZ8Cxc