open source security3 articles
Unpatched RCE Flaw in Gogs Has a Metasploit Module and Zero Response From Maintainers
A critical remote code execution vulnerability (CVSS 9.4) has been discovered in Gogs, a popular open-source self-hosted Git service, allowing any authenticated user to fully compromise servers, steal credentials, or tamper with code repositories. Rapid7 researcher Jonah Burgess reported the flaw to Gogs maintainers in March 2026, but despite initial acknowledgement, they have not responded since and no patch exists, while a public Metasploit exploit module has now been released. Users are advised to disable open registration, restrict repository creation, and turn off the "Rebase before merging" setting as interim mitigations until an official fix is available.
One Hacker Group Is Turning Software Supply Chains Into a Self-Replicating Nightmare
A cybercriminal group called TeamPCP has carried out an unprecedented wave of software supply chain attacks, hiding malware in hundreds of open source tools to breach companies including GitHub, OpenAI, and the European Commission's website. Their self-perpetuating strategy involves stealing developer credentials to compromise more tools, recently automated through a self-spreading worm called Mini Shai-Hulud, resulting in over 500 corrupted software packages across 20 attack waves in just a few months. Security experts warn that organisations should rotate authentication tokens regularly, avoid auto-updating open source tools, and vet new code before deployment, as the group shows no signs of slowing down.
One Hacker Group Is Turning Software Supply Chain Attacks Into a Production Line
A cybercriminal group called TeamPCP has carried out an unprecedented wave of software supply chain attacks, embedding malware in over 500 open source tools to infiltrate hundreds of companies, including GitHub, Anthropic, and the European Commission's public website. The group exploits a self-perpetuating cycle — compromising developer tools to steal credentials, then using those credentials to poison more tools — and has recently automated attacks using a self-spreading worm called Mini Shai-Hulud. Security experts warn that organisations must practice better credential hygiene, carefully vet software updates, and avoid automatically installing the latest versions of open source packages to protect themselves.