#opensourcerisks — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #opensourcerisks, aggregated by home.social.
-
Amazon Q Dev Extension (VSC) was compromised via a GitHub pull request.
🚨 Injected prompt instructed AI to “delete filesystem & cloud resources.”📆 Deployed July 17 → Flagged July 23 → Fixed July 24 (v1.85.0)
Root cause: Workflow misconfiguration.
Despite AWS’s claims, some say the script executed.
AI + CI/CD = high-risk supply chains.
#AIsecurity #AmazonQ #Infosec #OpenSourceRisks #SupplyChainThreat
-
Amazon Q Dev Extension (VSC) was compromised via a GitHub pull request.
🚨 Injected prompt instructed AI to “delete filesystem & cloud resources.”📆 Deployed July 17 → Flagged July 23 → Fixed July 24 (v1.85.0)
Root cause: Workflow misconfiguration.
Despite AWS’s claims, some say the script executed.
AI + CI/CD = high-risk supply chains.
#AIsecurity #AmazonQ #Infosec #OpenSourceRisks #SupplyChainThreat
-
The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem? #NpmSecurity #OpenSourceRisks #Cybersecurity
-
The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem? #NpmSecurity #OpenSourceRisks #Cybersecurity
-
The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem? #NpmSecurity #OpenSourceRisks #Cybersecurity