opensourceforu.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-28.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-28 2026 | CrowdStrike Google Shut Down Glassworm Malware Operation - Open Source For YouSupply Chain | CrowdStrike and Google have collaborated to dismantle the Glassworm malware operation. This significant action disrupted a threat actor known for sophisticated and persistent attacks. The operation targeted a variety of entities, and its shutdown represents a major victory in cybersecurity. The provided link offers further details on this successful joint effort. |
| 2026-05-22 2026 | Drupal Emergency Patch Issued As Critical SQL Injection Bug Hits Open Source Stack - Open Source For YouSQLi | Library of emergency patches addressing CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core's database abstraction API. This flaw, exploitable remotely by unauthenticated attackers, can lead to data theft, RCE, and database compromise. The vulnerability also necessitated upstream security updates for Symfony and Twig, with Twig version 3.26.0 released. While primarily impacting Drupal sites using PostgreSQL, all administrators are urged to patch due to broader ecosystem implications. |
| 2026-05-14 2026 | Malicious Open Source npm Packages Breach OpenAI Employee Devices - Open Source For YouSupply Chain | Writeup of the "Mini Shai-Hulud" campaign, detailing how attackers compromised two OpenAI employee devices by uploading 84 malicious versions across 42 @tanstack/* npm packages. Exploiting GitHub Actions and CI/CD cache weaknesses, these packages were designed to steal GitHub tokens, cloud API keys, npm credentials, and CI/CD secrets, impacting projects from Mistral AI and UiPath. |
| 2026-04-24 2026 | GitHub Actions Abuse Fuels Bitwarden Supply Chain Attack - Open Source For YouSupply Chain | Library abuse within GitHub Actions facilitated a supply chain attack targeting the Bitwarden CLI, specifically version 2026.4.0. Attackers injected malicious JavaScript into an npm package, aiming to steal developer credentials, cloud secrets, and GitHub Actions secrets. This campaign, linked to Shai-Hulud activity, also compromised AI coding tools like Claude Code and Cursor, highlighting risks in CI/CD pipelines and open-source software trust. |
| 2026-04-17 2026 | Second Open Source Plugin Hijack Raises Alarm Across WordPress Ecosystem - Open Source For YouSupply Chain | Library of techniques for securing open-source plugins, prompted by a recent supply-chain attack on WordPress, where a hijacked plugin was used to inject malicious code. This incident highlights vulnerabilities in ownership transfer processes and the need for rigorous code audits post-acquisition. Thousands of sites were exposed due to this attack, emphasizing the critical importance of robust security measures in open-source development and distribution. |