Magento Open Source

RubyGems pauses new signups after major malicious attack

Cybercrime, News, Risk, Vendors

May 13, 2026

RubyGems has temporarily paused new account signups after what the article described as a major malicious attack involving hundreds of packages. Mend.io said it will share more details once the incident is contained.
Big Tech provides $12.5m to help open source maintainers handle AI-generated bug reports

News, Risk, Vulnerabilities

March 18, 2026

Six major tech firms have provided $12.5 million in grants to a foundation project and OpenSSF to help open source maintainers triage and remediate AI-generated bug and security reports. Details and timing remain unclear.
Python Software Foundation withdraws $1.5M NSF proposal over DEI restriction

News, Policy, Research, Risk, Vulnerabilities

October 30, 2025

The Python Software Foundation has withdrawn a $1.5 million NSF grant proposal after the agency attached a clause barring recipients from operating programs that “advance or promote diversity, equity, and inclusion,” a condition the PSF said conflicts with its mission.
Researchers find 10 typosquatted npm packages delivering cross‑platform credential stealer

Cybercrime, Research, Risk, Vulnerabilities

October 29, 2025

Researchers reported a set of 10 typosquatted npm packages, uploaded on July 4, 2025 and downloaded over 9,900 times, that deploy an obfuscated, multi-stage information stealer which harvests credentials from browsers and system keyrings on Windows, Linux and macOS.
Google DeepMind unveils CodeMender to detect, patch and rewrite vulnerable code

News, Research, Risk, Vendors, Vulnerabilities

October 8, 2025

DeepMind has unveiled CodeMender, an AI agent that detects, patches and rewrites vulnerable code using Gemini models and an LLM-based critique tool; Google says it has upstreamed 72 fixes and is expanding AI security measures including an AI Vulnerability Reward Program and updates to its Secure AI Framework.
Researchers find malicious ‘postmark-mcp’ npm package that forwarded emails to attacker

Cybercrime, News, Research, Risk, Vulnerabilities

September 29, 2025

Researchers say a malicious npm package named “postmark-mcp” copied an official library and, beginning with version 1.0.16, BCC’d every email to an external address, exposing potentially sensitive communications; the package has been removed from npm and users are urged to revoke credentials and check logs.
GitHub outlines changes to harden npm after self-replicating worm incident

Cybercrime, News, Risk, Vendors, Vulnerabilities

September 25, 2025

GitHub said a self-replicating “Shai-Hulud” worm compromised maintainer accounts and injected malicious post-install scripts into npm packages, and outlined changes including required 2FA, short-lived granular tokens and trusted publishing to harden npm’s supply chain.
Adobe patches critical SessionReaper flaw in Magento platforms (CVE-2025-54236)

Cloud, Cybercrime, News, Vulnerabilities

September 10, 2025

Adobe has released a patch for a critical Magento vulnerability known as SessionReaper (CVE-2025-54236) that could allow unauthenticated access to customer accounts via the Commerce REST API. While Adobe says no exploitation has been observed, researchers warn the issue could be exploited at scale and urge immediate patching, with Cloud customers protected by an existing…