Attackers can exploit the defect in the widely deployed pac4j with relative ease, but researchers haven’t observed active exploitation in the wild.

Tom Cotton, R-Okla., cited Chinese and Russian involvement in open-source tech and the risks to government and defense systems.

A debate over actual exploitation is muddying response efforts. Multiple researchers say they’ve observed working proof of concepts while others assert evidence of attacks is lacking.

The open-source code library is one of the most extensively used application frameworks. Wiz found vulnerable versions in around 39% of cloud environments.

Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours.

Malicious hackers have been attacking the development environment of an open-source AI framework, twisting its functions into a global cryptojacking bot for profit, according to researchers at…

The model, currently in beta mode, is designed to automatically scan, analyze and patch vulnerabilities in private and open-source code bases. 

The high-severity defect affects a widely used — but largely hidden — archive tool that spans many forks.

The open-source software company said exposure is limited to consulting engagements, adding that it hasn’t found evidence of personal or sensitive data theft.

Disaster was averted after widely used open-source packages were compromised via social engineering.