New from Ossprey: PyPI is cracking down on domain resurrection attacks by invalidating expired maintainer domains.
1,800 accounts un-verified in just 2 months.
Time to check if your dependencies rely on revoked maintainers.
Full blog:
www.ossprey.com/blog/pypi-domain-vigilance
This episode of #OpenSourceSecurity I chat with Ali Akhavani and Behzad Ousat about their paper
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
We cover some of the findings in the paper: like a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems
We chat about what some of this means now and what it could mean in the future. It's a great discussion!
https://opensourcesecurity.io/2025/2025-08-oss-threats-ali-behzad/
This episode of #OpenSourceSecurity I chat with @tb about crates.io trusted publishing
I learned a ton about how trusted publishing works, it's one of those very new and very interesting topics
And of course anytime I can talk about #Rust it's a great chat :)
https://opensourcesecurity.io/2025/2025-08-cratesio-trusted-publishing-tobias/
How do you secure thousands of open-source projects?
At the June 2025 FreeBSD Developer Summit, Michael Winser shared three years of lessons from the Alpha-Omega project—covering supply chain risk, rapid audits, and sustainable funding.
Watch here: Lessons From Funding Open Source Security Over the Past 3 Years, What’s Ahead
https://youtu.be/6DoT-eFH6tY?si=M_zlAfXFrCrvj36_
This week on #OpenSourceSecurity I chat with Patrick Garrity about what's going on with #CVE
It's a wild couple of months, we break down where are today and where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds
https://opensourcesecurity.io/2025/2025-08-cve-patrick-garrity/
Backup is not just a technical task — it's a leadership responsibility.
As the founder of DataDef, I’ve seen too many businesses suffer from one simple mistake: they didn’t back up their data properly.
It’s not just about saving a copy. It’s about resilience.
My rule — and what we follow at DataDef — is simple but powerful:
3-2-1-1-0
3 copies of your data 2 different storage types 1 offsite backup 1 immutable (read-only, ransomware-proof) 0 errors during recovery (because we test everything)
If you don’t have a strategy like this, you’re not protected. You’re hoping for luck.
And hope is not a cybersecurity policy.
If you're a founder, CTO, or CISO — make backup part of your core risk strategy. Before something breaks.
DMs open.
#CyberSecurity #DataDef #Backup #32110 #TechLeadership #ImmutableBackup #MastodonTech #InfoSec #OpenSourceSecurity #BusinessContinuity #DataProtection
@joshbressers nice #opensourcesecurity episode. This is how the sausage is made...
I talked to Daniel Thompson-Yvetot on the latest episode of #OpenSourceSecurity
https://opensourcesecurity.io/2025/2025-07-eu-regulations-daniel-thompson/
The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was. I learned a ton from Daniel on this one. It's going to be a very interesting couple of years.
This #OpenSourceSecurity episode I chatted with Jan Pleskac from Tropic Square about open source microprocessors
I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future
I would like to say it's time for open source to work its magic on the world of hardware, but it's indescribably more complicated than software
https://opensourcesecurity.io/2025/2025-07-open-source-microprocessors/
We're heading to the NSF Cybersecurity Summit in Boulder (Oct 20-23) for our next in-person training 
We hope to have more information soon and will keep the community updated on details.
#OpenSourceSecurity chats with @Di4na about his blog post explaining hobbyist open source maintainers
Whatever you think you know about open source, you're going to learn something from this one
An enormous amount of the open source that runs the world is written by hobbyists, and how we can support them is not at all obvious or easy
https://opensourcesecurity.io/2025/2025-06-hobbyist-thomas-depierre/
This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)
STIG has historically been incredibly difficult and a bit of a niche space. Thanks to #FedRAMP it's getting more attention than ever before, and the work Aaron has been doing makes it a lot easier
https://opensourcesecurity.io/2025/2025-06-stig-automation-aaron-lippold/
Build a homelab that’s responsive and secure — with open source tools like @CrowdSec 
Check out this great talk by community member Jonny5, recorded at @_bsideskc last month 
https://youtube.com/watch?v=TZFNesWJbTc
Set up CrowdSec IPDEX on OPNsense to enhance threat detection, response, and intelligence gathering.
Follow this guide by CrowdSec Ambassador Flaviu to start running CrowdSec IPDEX, a simple CLI tool that gathers insights on IP addresses, on @opnsense, the open source FreeBSD-based firewall.
Get started 
https://vlaicu.io/posts/crowdsec-ipdex/
This week #OpenSourceSecurity chats with @andrewnez about @ecosystems
Ecosyste.ms is a massive collection of data about open source projects
It's an amazingly useful collection of data. If you're doing anything that needs information about open source packages, or git repos, or even the folks who work on this stuff, you should check it out
https://opensourcesecurity.io/2025/2025-06-ecosystems_andrew_nesbitt/
Member Spotlight: Trail of Bits
From PEP 740 to OpenSSF Scorecard dashboards, they’re shaping the future of #OpenSourceSecurity with standards, prototypes, & policy leadership.
As the image shows, we see that inside the results, many actors are classified as benign, which confirms that although the exploit is dangerous, the actual campaign is not. This level of enrichment provided by CrowdSec CTI helps security teams prioritize alerts, and IPDEX supports this workflow, allowing analysts to filter out harmless campaigns such as the one by the Shadowserver Foundation. You can also add a filter within IPDEX to remove those benign actors and filter on the date of last activity.
You can get started with IPDEX by heading over to the CrowdSec GitHub https://github.com/crowdsecurity/ipdex
[2/2]
Spike in Fortinet CVE-2024-55591 vulnerability rapidly increased in the past week 
The #CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.
About the exploit:
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.
Trend analysis: April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits. April 23rd - April 28th: Activity increases rapidly from 30 to about 80 malicious IPs reported daily, producing over 400 distinct attack events. April 29 - May 2nd: The attackers take a break. This provides a key point of insight into the nature of this attack campaign. May 3rd - May 19th: The attack picks back up with increased intensity. It now originates from around 200 unique IP addresses per day and produces about 900 attack events per day. May 19th: The CrowdSec Network still sees elevated levels of probing and exploitation attempts.
How to protect your systems: You can use CrowdSec’s open CTI search bar and blocklists to stay ahead of the curve. https://app.crowdsec.net/cti?q=cves%3A%22CVE-2024-55591%22&page=1 Alternatively, you can use CrowdSec’s newest tool, IPDEX, to build instant reports for this particular CVE and explore the data CrowdSec has aggregated. https://www.crowdsec.net/blog/introducing-crowdsec-ipdex
For more information, visit http://crowdsec.net [1/2]
This episode of #OpenSourceSecurity I talk with @paulasadoorian about embedded security, but with an open source twist
It's open source all the way down. And old open source quite often. It's a really fun discussion, I learned a lot!
https://opensourcesecurity.io/2025/2025-05-embedded-security-with-paul-asadoorian/
Thank you Brittany Day, Linux Security for your insightful coverage of #VulnCon25!
This article highlights critical developments in vulnerability management including metadata improvements, supply chain security measures, EU Cyber Resilience Act impacts and emerging security baseline standards.
Read more: https://go.first.org/zeokh
