A widely used JavaScript implementation of Google’s Protocol Buffers format is placing too much trust in untrusted data, exposing affected applications to remote code execution and other attacks.
Researchers at Cyera have disclosed six vulnerabilities affecting “protobuf.js,” all stemming from the library’s handling of schema and metadata. Attackers could exploit an input validation oversight to…
May delivered a steady cadence of openSUSE Tumbleweed snapshots across the major desktop stacks with KDE Gear 26.04.1, KDE Frameworks 6.26.0, Plasma 6.6.5 and GNOME 50 minor releases. Mesa made a couple leaps with the 26.1 series with the new Vulkan 1.4 Application Programming Interfaces, and the Linux kernel progressed from 7.0.5 through 7.0.9 with significant security and driver fixes.…
Modern applications rely on open source components for up to 90% of their code, creating a vast attack surface dominated by inhemalicious supply chain injections. High-profile incidents like Log4j and the sabotage of colors.js highlight that traditional scanning often fails to detect sophisticated "protestware" or dependency confusion, necessitating 19 practical controls focused on strict intake…
How we validated, fixed, and investigated a critical vulnerability in under two hours, and confirmed no exploitation.
The post Securing the git push pipeline: Responding to a critical remote code execution vulnerability appeared first on The GitHub Blog.
Ein bekanntes Szenario: Eine neue Sicherheitslücke (CVE) geht durch die News und es stellt sich die Frage: „Wurde das Update eigentlich schon eingespielt?“ Oder man möchte nach einer Woche mit einigen Upgrades genauer wissen, wie sich ein Debian-System verändert hat. Das Changelog als Übersicht Bei Debian werden Sicherheitspatches oft in die bestehende Version „zurückportiert“ (Backporting). […]
Hackers are pwning packages at an exhausting clip.
But the hacks are hackneyed. What’s new is the doom cycle: Code that steals keys to publish code to steal more keys.
A zombie army of infected code. And AI is making it worse.
Trivy is an open-source security scanner. But if you used Trivy in late March, you had a bad time.
On March 19th, hackers pushed a version…
By Jonas Rosland
Security teams in 2026 have no shortage of data, alerts, or findings. In 2025 alone, 48,185 Common Vulnerabilities and Exposures (CVEs) were published, a 20.6% increase over 2024’s already record-breaking total of 39,962. That works out to roughly 130 new vulnerabilities disclosed every single day, and for seven consecutive years, the annual count has hit a new record high.
The…
By Tracy Ragan
Over the past decade, the IT community has made significant progress in improving pre-deployment vulnerability detection. Static analysis, Software Composition Analysis (SCA), container scanning, and dependency analysis are now standard components of modern CI/CD pipelines. These tools help developers identify vulnerable libraries and insecure code before software is…
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response.
The post A year of open source vulnerability trends: CVEs, advisories, and malware appeared first on The GitHub Blog.
GitHub Security Lab Taskflow Agent is very effective at finding Auth Bypasses, IDORs, Token Leaks, and other high-impact vulnerabilities.
The post How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework appeared first on The GitHub Blog.