#software-supply-chain — Public Fediverse posts on home.social

github.com/ghostwriter @[email protected] · 2026-05-12 · 20:03 UTC

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

#cybersecurity #infosec #supplychainsecurity #softwaresupplychain #npm #opensourcesecurity

Asfaload @[email protected] · 2026-05-08 · 14:29 UTC

One more #breach that @asfaload prevents: https://www.neowin.net/news/if-you-downloaded-this-popular-software-recently-you-might-have-installed-malware/

Our #opensource #multisig solution is auditable and can be #selfhosted. Check info at https://asfaload.com

Available very soon!

#security #softwaresupplychain #jdownloader @neowindy.bsky.social #buildinpublic

#breach #opensource #multisig #selfhosted #security #softwaresupplychain

Asfaload @[email protected] · 2026-05-06 · 14:53 UTC

Deployed backend for the first time,and ran an e2e test script on it successfully 🎉 It registered a #github project,registered a release' assets, collected signatures from devs,and made a download of the asset, checking signatures.Happy with the progress! #buildinpublic #security #softwaresupplychain

#github #buildinpublic #security #softwaresupplychain

Nils Adermann @[email protected] · 2026-05-06 · 12:41 UTC

RE: https://social.lfx.dev/@openssf/116527089393674087

Open infrastructure isn't free. 🌱

Packagist/Composer signed a joint
OpenSSF letter with PyPI, crates, Maven, CPAN, etc on real cost of running package registries.

Packagist needs to finance staff, not just hardware and bandwidth. Contact me if your company's interested in joining our sponsorship program for its launch this month while we work on long term solutions.

#php #phpc #composerphp #softwaresupplychain #PreserveOpenSource #FreeSoftwareIsntFree #OpenSource #Sustainability

#php #phpc #composerphp #softwaresupplychain #preserveopensource #freesoftwareisntfree

gprimola$ :idle: @[email protected] · 2026-05-05 · 08:12 UTC

I wonder if there's a software business model where you buy the software for the binary and the source code? The source code is not exactly open, but is available on that specific version. I'm also wondering how that would work for the software supply chain. 🤔

#Software #business #foss #oss #intelectualProperty #sourcecode #development #developers #SoftwareSupplyChain

#software #business #foss #oss #intelectualproperty #sourcecode

Asfaload @[email protected] · 2026-04-19 · 10:44 UTC

Asfaload can now use your ed25519 #ssh keys to sign artifacts! No additional key to manage for Asfaload. https://github.com/asfaload/asfaload
#security #softwaresupplychain

#ssh #security #softwaresupplychain

InfoQ @[email protected] · 2026-04-17 · 07:45 UTC

The EU’s Cyber Resilience Act (CRA) is a “GDPR moment” for #SoftwareSecurity.

In this #InfoQ #podcast, Viktor Peterson explores how the CRA is reshaping expectations for software producers & supply chain compliance.

Key highlights:
✅ Why SBOMs are operational assets
✅ The danger of "weaponized code" in your security tools
✅ The shift toward vendor-neutral discovery

🎧 Listen now: https://bit.ly/429icwC

📄 #transcript included

#CyberSecurity #SBOM #SoftwareSupplyChain #Compliance

#softwaresecurity #infoq #podcast #transcript #cybersecurity #sbom

BGDon 🇨🇦 🇺🇸 👨‍💻 @[email protected] · 2026-04-16 · 18:18 UTC

Recent software supply chain attacks - yowers!

In March, popular open source tools Trivy and Axios were compromised with malware, and we won't know the full blast radius for months.

Axios was breached by North Korean hackers who turned it into a malware delivery vehicle for about three hours after attackers hijacked a maintainer's account and slipped a remote-access trojan (RAT) into two seemingly legitimate releases.

Trivy was hacked by a loosely knit band of hackers called TeamPCP, who injected credential-stealing malware.

"Attackers are starting to really look at the supply chain and open source packages, and figure out ways to compromise developers to deliver malware or gather data" ... https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/ #Hackers #Malware #Software #OpenSource #SoftwareSupplyChain #Trojan #CyberSecurity #Security #Trivy #Axios

#hackers #malware #software #opensource #softwaresupplychain #trojan

Asfaload @[email protected] · 2026-04-13 · 13:26 UTC

Not sure it is the right order: our documentation is deployed before our backend is even online :-D
https://www.asfaload.com/doc/
The fastest way to deploy the doc was using https://rust-lang.github.io/mdBook/ , incidentally a #rustlang project like us.
#buildinpublic #mdbook #security #softwaresupplychain

#rustlang #buildinpublic #mdbook #security #softwaresupplychain

All Things Open @[email protected] · 2026-04-09 · 19:02 UTC

🚀 NEW on We ❤️ Open Source 🚀

Bryan Behrenshausen offers a clear look at OSPO work, from inbound and outbound efforts to upstream contributions.

The piece also explores why software supply chain visibility is important, but can increase pressure on maintainers without added support.

https://allthingsopen.org/articles/inside-ospo-open-source-program-managers

#WeLoveOpenSource #OpenSource #OSPO #SoftwareSupplyChain

#weloveopensource #opensource #ospo #softwaresupplychain