opensourceforu.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-09.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-09 2026 | LiteLLM And Starlette Bugs Combine For Critical RCE RiskRCE | Writeup detailing the chained exploitation of LiteLLM's CVE-2026-42271 and Starlette's CVE-2026-48710. This combination allows unauthenticated remote code execution, enabling attackers to steal AI credentials and compromise infrastructure. The vulnerability affects LiteLLM versions 1.74.2 through 1.83.6 and requires upgrading LiteLLM to 1.83.7+ and Starlette to 1.0.1+. |
| 2026-05-28 2026 | CrowdStrike Google Shut Down Glassworm Malware Operation - Open Source For YouSupply Chain | Analysis of the Glassworm botnet operation, disrupted by CrowdStrike and Google, details the targeting of the open-source software supply chain. Attackers poisoned over 300 GitHub repositories, abused compromised NPM and Python packages, and used trojanized VS Code extensions on the Open VSX marketplace to spread malware and steal credentials. The operation highlights the growing threat to developer infrastructure and open-source ecosystems. |
| 2026-05-22 2026 | Drupal Emergency Patch Issued As Critical SQL Injection Bug Hits Open Source Stack - Open Source For YouSQLi | Library of emergency patches addressing CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core's database abstraction API. This flaw, exploitable remotely by unauthenticated attackers, can lead to data theft, RCE, and database compromise. The vulnerability also necessitated upstream security updates for Symfony and Twig, with Twig version 3.26.0 released. While primarily impacting Drupal sites using PostgreSQL, all administrators are urged to patch due to broader ecosystem implications. |
| 2026-05-14 2026 | Malicious Open Source npm Packages Breach OpenAI Employee Devices - Open Source For YouSupply Chain | Writeup of the "Mini Shai-Hulud" campaign, detailing how attackers compromised two OpenAI employee devices by uploading 84 malicious versions across 42 @tanstack/* npm packages. Exploiting GitHub Actions and CI/CD cache weaknesses, these packages were designed to steal GitHub tokens, cloud API keys, npm credentials, and CI/CD secrets, impacting projects from Mistral AI and UiPath. |
| 2026-04-24 2026 | GitHub Actions Abuse Fuels Bitwarden Supply Chain Attack - Open Source For YouSupply Chain | Library abuse within GitHub Actions facilitated a supply chain attack targeting the Bitwarden CLI, specifically version 2026.4.0. Attackers injected malicious JavaScript into an npm package, aiming to steal developer credentials, cloud secrets, and GitHub Actions secrets. This campaign, linked to Shai-Hulud activity, also compromised AI coding tools like Claude Code and Cursor, highlighting risks in CI/CD pipelines and open-source software trust. |
| 2026-04-17 2026 | Second Open Source Plugin Hijack Raises Alarm Across WordPress Ecosystem - Open Source For YouSupply Chain | Library of techniques for securing open-source plugins, prompted by a recent supply-chain attack on WordPress, where a hijacked plugin was used to inject malicious code. This incident highlights vulnerabilities in ownership transfer processes and the need for rigorous code audits post-acquisition. Thousands of sites were exposed due to this attack, emphasizing the critical importance of robust security measures in open-source development and distribution. |