LightNews
brianfox.bsky.social
Brian Fox
@brianfox.bsky.social
360 followers 14 following 9 posts
Sonatype CTO
Posts Media Videos Starter Packs
Reposted by Brian Fox
josh.bressers.name
Josh Bressers @josh.bressers.name · 3d
On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries

This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter

opensourcesecurity.io/2025/2025-10...
Sustaining Package Repositories with Brian Fox
Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the import...
opensourcesecurity.io
1 2
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · 14d
Yes all of this. Now it’s time to fix it.
mattcoley.bsky.social
Matt Coley @mattcoley.bsky.social · 16d
I love reading these articles and thinking "Yup, that's us on the job. We're part of the industrial inefficiency complex"

Artifactory set up but nobody uses it? 👍
CI jobs with zero caching? 👍
+ they can recursively spawn other jobs? 👍
+ they can trigger from simple "fix typo" commits? 👍
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · 17d
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.

This morning we jointly launch a new blog and open letter on sustainable stewardship.

www.sonatype.com/blog/from-ab...
2
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · 17d
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.

This morning we jointly launch a new blog and open letter on sustainable stewardship.

www.sonatype.com/blog/from-ab...
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure
Open source relies on shared infrastructure. Learn why sustainable stewardship is critical to keep ecosystems like Maven Central strong.
www.sonatype.com
14 24
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Sep 9
We see more new affected packages over night. It highlights why we built this ml/model for this back when it was still called ml/ai and use it to protect customers in real time.

We will be updating the blog shortly with the new packages.
1
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Sep 9
Looks
Like we got them taken down. So here it is: www.sonatype.com/blog/npm-cha...
npm Chalk and Debug Packages Hit in Software Supply Chain Attack
Learn about the npm chalk and debug widespread software supply chain attack, highlighting risks and the need for better SBOM and SCA practices.
www.sonatype.com
1
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Sep 8
More than 1
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Sep 8
Our malware systems at Sonatype seem to be picking these up coming from other, not yet reported accounts. This attack seems to have landed more publishers as this unfolds. Check your accounts folks while we work with others to contain.
2 4 9
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Apr 16
Fair. Maybe it’s a scam. Will have to wait and see.
1
Reposted by Brian Fox
helpnetsecurity.com
Help Net Security @helpnetsecurity.com · Apr 3
Open-source malware doubles, data exfiltration attacks dominate

📖 Read more: www.helpnetsecurity.com/2025/04/03/o...

#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social
Open-source malware doubles, data exfiltration attacks dominate - Help Net Security
A total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype's Open Source Malware Index.
www.helpnetsecurity.com
1 1
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Apr 16
www.thecvefoundation.org
CVE Foundation
FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term ...
www.thecvefoundation.org
1
brianfox.bsky.social
Brian Fox @brianfox.bsky.social · Jan 29
Good news for Java developers! Central now validates OpenSSF sigstore signatures as part of publishing. If you’re already signing your artifacts with Sigstore, you’ll now get real-time validation feedback in the Central Publisher Portal.

Read more details here: www.sonatype.com/blog/central...
3 5
Reposted by Brian Fox
openssf.org
OpenSSF @openssf.org · Dec 4
📢 The @linuxfoundation.org, with Harvard's Laboratory for Innovation Science, has released Census III of Free and Open Source Software – Application Libraries. 🖥️ Key insights from OpenSSF help reduce FOSS vulnerabilities and secure supply chains. Read more: openssf.org/press-releas...
2 3