home.social

#opensourcerisks — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #opensourcerisks, aggregated by home.social.

  1. Amazon Q Dev Extension (VSC) was compromised via a GitHub pull request.
    🚨 Injected prompt instructed AI to “delete filesystem & cloud resources.”

    📆 Deployed July 17 → Flagged July 23 → Fixed July 24 (v1.85.0)

    Root cause: Workflow misconfiguration.

    Despite AWS’s claims, some say the script executed.

    AI + CI/CD = high-risk supply chains.

    #AIsecurity #AmazonQ #Infosec #OpenSourceRisks #SupplyChainThreat

  2. Amazon Q Dev Extension (VSC) was compromised via a GitHub pull request.
    🚨 Injected prompt instructed AI to “delete filesystem & cloud resources.”

    📆 Deployed July 17 → Flagged July 23 → Fixed July 24 (v1.85.0)

    Root cause: Workflow misconfiguration.

    Despite AWS’s claims, some say the script executed.

    AI + CI/CD = high-risk supply chains.

    #AIsecurity #AmazonQ #Infosec #OpenSourceRisks #SupplyChainThreat

  3. The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem? #NpmSecurity #OpenSourceRisks #Cybersecurity

    saysomething.hashnode.dev/npms

  4. The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem?

    saysomething.hashnode.dev/npms

  5. The rise of malicious npm packages—like `xlsx-to-json-lh` mimicking `xlsx-to-json-lc`—raises urgent questions. Should npm enforce name uniqueness and vetting to stop supply chain attacks, or risk stifling its open ecosystem? #NpmSecurity #OpenSourceRisks #Cybersecurity

    saysomething.hashnode.dev/npms