Chromium will support third-party Rust libraries

Google has announced that it will allow third-party Rust libraries in its Chromium open-source browser project.

Chrome security team member Dana Jansens published a blog post on Thursday announcing the decision.

Jansens says that Google is now actively pursuing adding a production Rust toolchain to its build system.

“Our goal in bringing Rust into Chromium is to provide a simpler (no IPC) and safer (less complex C++ overall, no memory safety bugs in a sandbox...

Visual Studio Marketplace is the latest supply chain attack vector

Aqua Security researchers have found that hackers are using Visual Studio Marketplace to conduct supply chain attacks.

In a new report, the researchers uncovered that attackers could impersonate popular VS Code extensions to trick developers into downloading malicious versions.

VS Code is the most popular IDE, with around 74.48 percent of developers using it. The vast array of extensions available for VS Code is partly what drives its popularity.

Here are some...

Malware campaign targets official Python and JavaScript repos

An active malware campaign is targeting official Python and JavaScript repositories.

Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.

Typosquats take advantage of simple typos to install malicious packages.

In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests,...

OpenWallet aims to support Web3 wallet development

The Linux Foundation has announced OpenWallet, an initiative to support the development of Web3 digital wallets.

“We are convinced that digital wallets will play a critical role for digital societies,” said Jim Zemllin, Executive Director of the Linux Foundation.

“Open software is the key to interoperability and security. We are delighted to host the OpenWallet Foundation and excited for its potential.”

OpenWallet aims to develop a secure and...

PyPI maintainers warn of ongoing phishing attack

The maintainers of the Python Package Index (PyPI) have warned of an ongoing phishing attack targeting users.

“Today we received reports of a phishing campaign targeting PyPI users. This is the first known phishing attack against PyPI,” wrote the maintainers in a tweet.

A phishing email is sent to users warning that PyPI is implementing a mandatory ‘validation’ process and that users must follow a link or risk their package being removed:

The...

Introducing OpenTDF: Open source, accessible security for developers

At Virtru, we believe that the ability to securely share data is essential — and that privacy is a human right that must be protected. It’s a mission we have stuck by since we started in 2011, and sees us supporting over 7,000 organisations worldwide to protect their most valuable asset, their data, with Zero-Trust security and powerful, granular policy controls that tie identity to data, everywhere it moves.

Now, Virtru is giving developers a new way to build security...

AG Grid and TanStack Table join forces as open source partners

Leading industry players AG Grid and TanStack Table, the two main datagrid and table providers, have united as open-source partners to unify their ecosystems and educate users about how and when to choose between their different approaches.

AG Grid and TanStack Table operate within the same problem space as each other, but are implemented via drastically different architectures and paradigms, each offering unique trade-offs, opinions and optimisations depending on use-case....

SFC urges developers to quit GitHub

The SFC (Software Freedom Conservancy) has quit GitHub and urges other developers to follow.

SFC is a non-profit that aims to provide a home and services to Free, Libre, and Open Source Software (FLOSS) projects.

On Thursday, the SFC posted a blog post criticising the dominant role that GitHub has established in FOSS development.

In the post, Bradley Kuhn, SFC policy fellow, and Denver Gingerich, SFC FOSS license compliance engineer, highlighted the dangers of...

GitHub will mandate 2FA to help secure the software supply chain

GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.

Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.

“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity...

GitHub notifies victims of OAuth token theft

GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...