opensource

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

bbossola, , Leave a comment
6–9 minutes
Shai-Hulud 2.0: What executives need to know about the new npm supply-chain worm (Nov 24, 2025)

On November 24, 2025, a second wave of the “Shai-Hulud” npm supply-chain attack began spreading through the JavaScript ecosystem. Attackers compromised maintainer accounts, published trojanized versions of legitimate packages, and used them as a worm to steal credentials and propagate into more projects and organizations.

What happened (in plain terms)

  • Trusted packages were silently replaced with malicious updates. When developers or CI systems installed these versions, the malware ran automatically during install.
  • The malware steals secrets at scale. The payload hunts for npm/GitHub tokens and cloud credentials, then exfiltrates them to attacker-controlled repos.
  • This wave is more capable than September’s. Researchers observed improved execution (including the Bun runtime) and broader credential targeting, making infection faster and harder to spot.
  • High-profile vendors were hit. Packages tied to Zapier, ENS Domains, Postman, PostHog, AsyncAPI and others were compromised, showing the attackers can reach well-run projects—not just obscure libs.

Why this matters to your business

This is not a “developer problem.” It is a direct enterprise risk:

  1. Credential theft = account takeover. If a compromised package was installed in your environment, assume tokens and keys on that machine (or CI runner) may be stolen. That can lead to cloud breaches, source-code theft, or ransomware-style follow-on attacks.
  2. Supply chain blast radius is huge. npm packages are deeply nested in modern apps. One infected dependency can taint many internal services before anyone notices. The campaign has already spread into tens of thousands of GitHub repos.
  3. Regulatory and reputational exposure. If attacker access leads to customer data loss or service disruption, you face incident-response costs, disclosure obligations, and trust damage.

Immediate actions (next 24–72 hours) for your engineering team

If your engineering team uses Node.js / npm anywhere:

  1. Identify exposure.
    • Compare your dependency lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) to the known malicious package/version list from current advisories
    • Search CI logs and build images for installs of those versions around Nov 24, 2025 onward.
    • If you are using Meterian, your teams will be notified tomorrow of any outstanding issue in your projects, while you can also manually trigger a rescan
  2. Treat potentially affected environments as compromised.
    • Rotate all secrets that could have been accessible to developer machines or CI runners: npm tokens, GitHub tokens, cloud keys, DB creds, SaaS API keys.
    • Re-issue creds from a clean machine.
  3. Hunt for persistence.
    • Check for unexpected GitHub Actions / CI workflows, new secrets, or unfamiliar deploy keys. Earlier Shai-Hulud waves used CI backdoors to keep access.
  4. Block known bad versions now.
    • Add deny-lists in artifact proxies (e.g., npm registry mirrors) and internal policy gates.
    • Pin safe versions until the incident stabilizes.

Medium-term fixes (next few weeks) for your engineering team

  • Eliminate long-lived registry tokens. The attack leveraged stolen or weakly protected maintainer/CI tokens; reducing token lifetime and scope cuts worm propagation.
  • Harden CI/CD. Run builds in isolated runners with minimal secrets; require approvals for workflow changes.
  • Adopt dependency trust controls.
    • Prefer verified publishing / signed releases where available.
    • Add automated checks for sudden owner changes, new install scripts, or unusual publish patterns.

The take-home

Shai-Hulud 2.0 is a credential-stealing worm riding on the npm ecosystem. It spreads through normal installs, targets high-value developer and cloud secrets, and has already hit mainstream packages. The right executive posture is: assume compromise if exposed, rotate secrets fast, and tighten the software supply chain permanently. After last September’s incident, we predicted this would rear its ugly head again. Watch a brief update and warning shared earlier this week at one of our meetings.

Meterian CTO Bruno Bossola shares the growing blast radius and all consumers of NPM must stop it

This is a story under development!

Please keep an eye on this blog page, in the meantime here’s the list of affected packages and versions so far:

Package Malicious version(s)
Package name Affected versions
@accordproject/concerto-analysis 3.24.1
@accordproject/concerto-linter 3.24.1
@accordproject/concerto-linter-default-ruleset 3.24.1
@accordproject/concerto-metamodel 3.12.5
@accordproject/concerto-types 3.24.1
@accordproject/markdown-it-cicero 0.16.26
@accordproject/template-engine 2.7.2
@actbase/css-to-react-native-transform 1.0.3
@actbase/native 0.1.32
@actbase/node-server 1.1.19
@actbase/react-absolute 0.8.3
@actbase/react-daum-postcode 1.0.5
@actbase/react-kakaosdk 0.9.27
@actbase/react-native-actionsheet 1.0.3
@actbase/react-native-devtools 0.1.3
@actbase/react-native-fast-image 8.5.13
@actbase/react-native-kakao-channel 1.0.2
@actbase/react-native-kakao-navi 2.0.4
@actbase/react-native-less-transformer 1.0.6
@actbase/react-native-naver-login 1.0.1
@actbase/react-native-simple-video 1.0.13
@actbase/react-native-tiktok 1.1.3
@afetcan/api 0.0.13
@afetcan/storage 0.0.27
@alexadark/amadeus-api 1.0.4
@alexadark/gatsby-theme-events 1.0.1
@alexadark/gatsby-theme-wordpress-blog 2.0.1
@alexadark/reusable-functions 1.5.1
@alexcolls/nuxt-socket.io 0.0.7|0.0.8
@alexcolls/nuxt-ux 0.6.1|0.6.2
@alexcolls/nuxt-ux 0.6.2|0.6.1
@antstackio/eslint-config-antstack 0.0.3
@antstackio/express-graphql-proxy 0.2.8
@antstackio/graphql-body-parser 0.1.1
@antstackio/json-to-graphql 1.0.3
@antstackio/shelbysam 1.1.7
@aryanhussain/my-angular-lib 0.0.23
@asyncapi/dotnet-rabbitmq-template 1.0.2|1.0.1
@asyncapi/edavisualiser 1.2.2|1.2.1
@asyncapi/go-watermill-template 0.2.76|0.2.77
@asyncapi/java-template 0.3.6|0.3.5
@asyncapi/keeper 0.0.3|0.0.2
@asyncapi/php-template 0.1.2|0.1.1
@asyncapi/python-paho-template 0.2.15|0.2.14
@asyncapi/server-api 0.16.25|0.16.24
@asyncapi/studio 1.0.3|1.0.2
@asyncapi/web-component 2.6.7|2.6.6
@bdkinc/knex-ibmi 0.5.7
@browserbasehq/bb9 1.2.21
@browserbasehq/director-ai 1.0.3
@browserbasehq/mcp 2.1.1
@browserbasehq/mcp-server-browserbase 2.4.2
@browserbasehq/sdk-functions 0.0.4
@browserbasehq/stagehand 3.0.4
@browserbasehq/stagehand-docs 1.0.1
@caretive/caret-cli 0.0.2
@chtijs/eslint-config 1.0.1
@clausehq/flows-step-httprequest 0.1.14
@clausehq/flows-step-jsontoxml 0.1.14
@clausehq/flows-step-mqtt 0.1.14
@clausehq/flows-step-sendgridemail 0.1.14
@clausehq/flows-step-taskscreateurl 0.1.14
@cllbk/ghl 1.3.1
@commute/bloom 1.0.3
@commute/market-data 1.0.2
@commute/market-data-chartjs 2.3.1
@dev-blinq/ai-qa-logic 1.0.19
@dev-blinq/cucumber_client 1.0.738
@dev-blinq/cucumber-js 1.0.131
@dev-blinq/ui-systems 1.0.93
@ensdomains/address-encoder 1.1.5
@ensdomains/blacklist 1.0.1
@ensdomains/buffer 0.1.2
@ensdomains/ccip-read-cf-worker 0.0.4
@ensdomains/ccip-read-dns-gateway 0.1.1
@ensdomains/ccip-read-router 0.0.7
@ensdomains/ccip-read-worker-viem 0.0.4
@ensdomains/content-hash 3.0.1
@ensdomains/curvearithmetics 1.0.1
@ensdomains/cypress-metamask 1.2.1
@ensdomains/dnsprovejs 0.5.3
@ensdomains/dnssec-oracle-anchors 0.0.2
@ensdomains/dnssecoraclejs 0.2.9
@ensdomains/durin 0.1.2
@ensdomains/durin-middleware 0.0.2
@ensdomains/ens-archived-contracts 0.0.3
@ensdomains/ens-avatar 1.0.4
@ensdomains/ens-contracts 1.6.1
@ensdomains/ens-test-env 1.0.2
@ensdomains/ens-validation 0.1.1
@ensdomains/ensjs 4.0.3
@ensdomains/ensjs-react 0.0.5
@ensdomains/eth-ens-namehash 2.0.16
@ensdomains/hackathon-registrar 1.0.5
@ensdomains/hardhat-chai-matchers-viem 0.1.15
@ensdomains/hardhat-toolbox-viem-extended 0.0.6
@ensdomains/mock 2.1.52
@ensdomains/name-wrapper 1.0.1
@ensdomains/offchain-resolver-contracts 0.2.2
@ensdomains/op-resolver-contracts 0.0.2
@ensdomains/react-ens-address 0.0.32
@ensdomains/renewal 0.0.13
@ensdomains/renewal-widget 0.1.10
@ensdomains/reverse-records 1.0.1
@ensdomains/server-analytics 0.0.2
@ensdomains/solsha1 0.0.4
@ensdomains/subdomain-registrar 0.2.4
@ensdomains/test-utils 1.3.1
@ensdomains/thorin 0.6.51
@ensdomains/ui 3.4.6
@ensdomains/unicode-confusables 0.1.1
@ensdomains/unruggable-gateways 0.0.3
@ensdomains/vite-plugin-i18next-loader 4.0.4
@ensdomains/web3modal 1.10.2
@everreal/react-charts 2.0.2
@everreal/react-charts 2.0.1|2.0.2
@everreal/validate-esmoduleinterop-imports 1.4.5
@everreal/validate-esmoduleinterop-imports 1.4.4|1.4.5
@everreal/web-analytics 0.0.2
@everreal/web-analytics 0.0.1|0.0.2
@faq-component/core 0.0.4
@faq-component/react 1.0.1
@fishingbooker/browser-sync-plugin 1.0.5
@fishingbooker/react-loader 1.0.7
@fishingbooker/react-pagination 2.0.6
@fishingbooker/react-raty 2.0.1
@fishingbooker/react-swiper 0.1.5
@hapheus/n8n-nodes-pgp 1.5.1
@hover-design/core 0.0.1
@hover-design/react 0.2.1
@huntersofbook/auth-vue 0.4.2
@huntersofbook/core 0.5.1
@huntersofbook/core-nuxt 0.4.2
@huntersofbook/form-naiveui 0.5.1
@huntersofbook/i18n 0.8.2
@huntersofbook/ui 0.5.1
@hyperlook/telemetry-sdk 1.0.19
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2|0.1.3
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2
@ifings/design-system 4.9.2
@ifings/metatron3 0.1.5
@jayeshsadhwani/telemetry-sdk 1.0.14
@kvytech/cli 0.0.7
@kvytech/components 0.0.2
@kvytech/habbit-e2e-test 0.0.2
@kvytech/medusa-plugin-announcement 0.0.8
@kvytech/medusa-plugin-management 0.0.5
@kvytech/medusa-plugin-newsletter 0.0.5
@kvytech/medusa-plugin-product-reviews 0.0.9
@kvytech/medusa-plugin-promotion 0.0.2
@kvytech/web 0.0.2
@lessondesk/api-client 9.12.2|9.12.3
@lessondesk/api-client 9.12.3|9.12.2
@lessondesk/babel-preset 1.0.1
@lessondesk/electron-group-api-client 1.0.3
@lessondesk/eslint-config 1.4.2
@lessondesk/material-icons 1.0.3
@lessondesk/react-table-context 2.0.4
@lessondesk/schoolbus 5.2.2|5.2.3
@livecms/live-edit 0.0.32
@livecms/nuxt-live-edit 1.9.2
@louisle2/core 1.0.1
@louisle2/cortex-js 0.1.6
@lpdjs/firestore-repo-service 1.0.1
@lui-ui/lui-nuxt 0.1.1
@lui-ui/lui-tailwindcss 0.1.2
@lui-ui/lui-vue 1.0.13
@markvivanco/app-version-checker 1.0.2|1.0.1
@ntnx/passport-wso2 0.0.3
@ntnx/t 0.0.101
@oku-ui/accordion 0.6.2
@oku-ui/alert-dialog 0.6.2
@oku-ui/arrow 0.6.2
@oku-ui/aspect-ratio 0.6.2
@oku-ui/avatar 0.6.2
@oku-ui/checkbox 0.6.3
@oku-ui/collapsible 0.6.2
@oku-ui/collection 0.6.2
@oku-ui/dialog 0.6.2
@oku-ui/direction 0.6.2
@oku-ui/dismissable-layer 0.6.2
@oku-ui/focus-guards 0.6.2
@oku-ui/focus-scope 0.6.2
@oku-ui/hover-card 0.6.2
@oku-ui/label 0.6.2
@oku-ui/menu 0.6.2
@oku-ui/motion 0.4.4
@oku-ui/motion-nuxt 0.2.2
@oku-ui/popover 0.6.2
@oku-ui/popper 0.6.2
@oku-ui/portal 0.6.2
@oku-ui/presence 0.6.2
@oku-ui/primitive 0.6.2
@oku-ui/primitives 0.7.9
@oku-ui/primitives-nuxt 0.3.1
@oku-ui/progress 0.6.2
@oku-ui/provide 0.6.2
@oku-ui/radio-group 0.6.2
@oku-ui/roving-focus 0.6.2
@oku-ui/scroll-area 0.6.2
@oku-ui/separator 0.6.2
@oku-ui/slider 0.6.2
@oku-ui/slot 0.6.2
@oku-ui/switch 0.6.2
@oku-ui/tabs 0.6.2
@oku-ui/toast 0.6.2
@oku-ui/toggle 0.6.2
@oku-ui/toggle-group 0.6.2
@oku-ui/toolbar 0.6.2
@oku-ui/tooltip 0.6.2
@oku-ui/use-composable 0.6.2
@oku-ui/utils 0.6.2
@oku-ui/visually-hidden 0.6.2
@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode 2.0.5
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode 1.1.1
@orbitgtbelgium/orbit-components 1.2.9
@orbitgtbelgium/time-slider 1.0.187
@osmanekrem/bmad 1.0.6
@osmanekrem/error-handler 1.2.2
@pergel/cli 0.11.1
@pergel/module-box 0.6.1
@pergel/module-graphql 0.6.1
@pergel/module-ui 0.0.9
@pergel/nuxt 0.25.5
@posthog/agent 1.24.1
@posthog/ai 7.1.2
@posthog/cli 0.5.15
@posthog/clickhouse 1.7.1
@posthog/core 1.5.6
@posthog/hedgehog-mode 0.0.42
@posthog/icons 0.36.1
@posthog/lemon-ui 0.0.1
@posthog/nextjs-config 1.5.1
@posthog/nuxt 1.2.9
@posthog/piscina 3.2.1
@posthog/plugin-contrib 0.0.6
@posthog/react-rrweb-player 1.1.4
@posthog/rrdom 0.0.31
@posthog/rrweb 0.0.31
@posthog/rrweb-player 0.0.31
@posthog/rrweb-record 0.0.31
@posthog/rrweb-replay 0.0.19
@posthog/rrweb-snapshot 0.0.31
@posthog/rrweb-utils 0.0.31
@posthog/siphash 1.1.2
@posthog/wizard 1.18.1
@postman/aether-icons 2.23.4|2.23.3|2.23.2
@postman/csv-parse 4.0.5|4.0.3|4.0.4
@postman/node-keytar 7.9.6|7.9.4|7.9.5
@postman/tunnel-agent 0.6.7|0.6.6|0.6.5
@pradhumngautam/common-app 1.0.2
@productdevbook/animejs-vue 0.2.1
@productdevbook/auth 0.2.2
@productdevbook/chatwoot 2.0.1
@productdevbook/motion 1.0.4
@productdevbook/ts-i18n 1.4.2
@pruthvi21/use-debounce 1.0.3
@quick-start-soft/quick-document-translator 1.4.2511142126
@quick-start-soft/quick-git-clean-markdown 1.4.2511142126
@quick-start-soft/quick-markdown 1.4.2511142126
@quick-start-soft/quick-markdown-compose 1.4.2506300029
@quick-start-soft/quick-markdown-image 1.4.2511142126
@quick-start-soft/quick-markdown-print 1.4.2511142126
@quick-start-soft/quick-markdown-translator 1.4.2509202331
@quick-start-soft/quick-remove-image-background 1.4.2511142126
@quick-start-soft/quick-task-refine 1.4.2511142126
@relyt/claude-context-core 0.1.1
@sameepsi/sor 1.0.3
@sameepsi/sor2 2.0.2
@seezo/sdr-mcp-server 0.0.5
@seung-ju/next 0.0.2
@seung-ju/openapi-generator 0.0.4
@seung-ju/react-hooks 0.0.2
@seung-ju/react-native-action-sheet 0.2.1
@silgi/better-auth 0.8.1
@silgi/drizzle 0.8.4
@silgi/ecosystem 0.7.6
@silgi/graphql 0.7.15
@silgi/module-builder 0.8.8
@silgi/openapi 0.7.4
@silgi/permission 0.6.8
@silgi/ratelimit 0.2.1
@silgi/scalar 0.6.2
@silgi/yoga 0.7.1
@sme-ui/aoma-vevasound-metadata-lib 0.1.3
@strapbuild/react-native-date-time-picker 2.0.4
@strapbuild/react-native-perspective-image-cropper 0.4.15
@strapbuild/react-native-perspective-image-cropper-2 0.4.7
@strapbuild/react-native-perspective-image-cropper-poojan31 0.4.6
@suraj_h/medium-common 1.0.5
@thedelta/eslint-config 1.0.2
@tiaanduplessis/json 2.0.2|2.0.3
@tiaanduplessis/json 2.0.3|2.0.2
@tiaanduplessis/react-progressbar 1.0.1|1.0.2
@tiaanduplessis/react-progressbar 1.0.2|1.0.1
@trackstar/angular-trackstar-link 1.0.2
@trackstar/react-trackstar-link 2.0.21
@trackstar/react-trackstar-link-upgrade 1.1.10
@trackstar/test-angular-package 0.0.9
@trackstar/test-package 1.1.5
@trefox/sleekshop-js 0.1.6
@trigo/atrix 7.0.1
@trigo/atrix-elasticsearch 2.0.1
@trigo/atrix-postgres 1.0.3
@trigo/atrix-pubsub 4.0.3
@trigo/atrix-soap 1.0.2
@trigo/atrix-swagger 3.0.1
@trigo/bool-expressions 4.1.3
@trigo/eslint-config-trigo 3.3.1
@trigo/fsm 3.4.2
@trigo/hapi-auth-signedlink 1.3.1
@trigo/pathfinder-ui-css 0.1.1
@trigo/trigo-hapijs 5.0.1
@trpc-rate-limiter/cloudflare 0.1.4
@trpc-rate-limiter/hono 0.1.4
@varsityvibe/api-client 1.3.36|1.3.37
@varsityvibe/utils 5.0.6
@varsityvibe/validation-schemas 0.6.7|0.6.8
@viapip/eslint-config 0.2.4
@vishadtyagi/full-year-calendar 0.1.11
@voiceflow/alexa-types 2.15.61
@voiceflow/alexa-types 2.15.60|2.15.61
@voiceflow/anthropic 0.4.4|0.4.5
@voiceflow/api-sdk 3.28.59
@voiceflow/api-sdk 3.28.58|3.28.59
@voiceflow/backend-utils 5.0.1|5.0.2
@voiceflow/backend-utils 5.0.2|5.0.1
@voiceflow/base-types 2.136.2|2.136.3
@voiceflow/base-types 2.136.3|2.136.2
@voiceflow/body-parser 1.21.2|1.21.3
@voiceflow/chat-types 2.14.58|2.14.59
@voiceflow/chat-types 2.14.59|2.14.58
@voiceflow/circleci-config-sdk-orb-import 0.2.1|0.2.2
@voiceflow/commitlint-config 2.6.1
@voiceflow/commitlint-config 2.6.2|2.6.1
@voiceflow/common 8.9.1|8.9.2
@voiceflow/default-prompt-wrappers 1.7.3|1.7.4
@voiceflow/default-prompt-wrappers 1.7.4|1.7.3
@voiceflow/dependency-cruiser-config 1.8.11|1.8.12
@voiceflow/dependency-cruiser-config 1.8.12|1.8.11
@voiceflow/dtos-interact 1.40.1|1.40.2
@voiceflow/dtos-interact 1.40.2|1.40.1
@voiceflow/encryption 0.3.2|0.3.3
@voiceflow/encryption 0.3.3|0.3.2
@voiceflow/eslint-config 7.16.4|7.16.5
@voiceflow/eslint-plugin 1.6.1|1.6.2
@voiceflow/eslint-plugin 1.6.2|1.6.1
@voiceflow/exception 1.10.1|1.10.2
@voiceflow/exception 1.10.2|1.10.1
@voiceflow/fetch 1.11.1|1.11.2
@voiceflow/general-types 3.2.22|3.2.23
@voiceflow/general-types 3.2.23|3.2.22
@voiceflow/git-branch-check 1.4.3
@voiceflow/git-branch-check 1.4.4|1.4.3
@voiceflow/google-dfes-types 2.17.12|2.17.13
@voiceflow/google-types 2.21.13
@voiceflow/google-types 2.21.12|2.21.13
@voiceflow/husky-config 1.3.1
@voiceflow/husky-config 1.3.1|1.3.2
@voiceflow/logger 2.4.2|2.4.3
@voiceflow/logger 2.4.3|2.4.2
@voiceflow/metrics 1.5.1|1.5.2
@voiceflow/metrics 1.5.2|1.5.1
@voiceflow/natural-language-commander 0.5.2|0.5.3
@voiceflow/nestjs-common 2.75.2|2.75.3
@voiceflow/nestjs-mongodb 1.3.1|1.3.2
@voiceflow/nestjs-rate-limit 1.3.2|1.3.3
@voiceflow/nestjs-rate-limit 1.3.3|1.3.2
@voiceflow/nestjs-redis 1.3.1|1.3.2
@voiceflow/nestjs-timeout 1.3.1
@voiceflow/nestjs-timeout 1.3.1|1.3.2
@voiceflow/npm-package-json-lint-config 1.1.1
@voiceflow/npm-package-json-lint-config 1.1.1|1.1.2
@voiceflow/openai 3.2.2|3.2.3
@voiceflow/pino 6.11.3|6.11.4
@voiceflow/pino 6.11.4|6.11.3
@voiceflow/pino-pretty 4.4.1|4.4.2
@voiceflow/pino-pretty 4.4.2|4.4.1
@voiceflow/prettier-config 1.10.1
@voiceflow/prettier-config 1.10.2|1.10.1
@voiceflow/react-chat 1.65.4
@voiceflow/react-chat 1.65.4|1.65.3
@voiceflow/runtime 1.29.1|1.29.2
@voiceflow/runtime-client-js 1.17.2|1.17.3
@voiceflow/runtime-client-js 1.17.3|1.17.2
@voiceflow/sdk-runtime 1.43.1|1.43.2
@voiceflow/sdk-runtime 1.43.2|1.43.1
@voiceflow/secrets-provider 1.9.2
@voiceflow/secrets-provider 1.9.3|1.9.2
@voiceflow/semantic-release-config 1.4.1
@voiceflow/semantic-release-config 1.4.2|1.4.1
@voiceflow/serverless-plugin-typescript 2.1.7|2.1.8
@voiceflow/slate-serializer 1.7.3|1.7.4
@voiceflow/slate-serializer 1.7.4|1.7.3
@voiceflow/stitches-react 2.3.2|2.3.3
@voiceflow/stitches-react 2.3.3|2.3.2
@voiceflow/storybook-config 1.2.2|1.2.3
@voiceflow/stylelint-config 1.1.1
@voiceflow/stylelint-config 1.1.1|1.1.2
@voiceflow/test-common 2.1.1|2.1.2
@voiceflow/tsconfig 1.12.1
@voiceflow/tsconfig 1.12.2|1.12.1
@voiceflow/tsconfig-paths 1.1.4|1.1.5
@voiceflow/tsconfig-paths 1.1.5|1.1.4
@voiceflow/utils-designer 1.74.20
@voiceflow/utils-designer 1.74.19|1.74.20
@voiceflow/verror 1.1.4
@voiceflow/verror 1.1.5|1.1.4
@voiceflow/vite-config 2.6.2|2.6.3
@voiceflow/vitest-config 1.10.2|1.10.3
@voiceflow/vitest-config 1.10.3|1.10.2
@voiceflow/voice-types 2.10.58|2.10.59
@voiceflow/voice-types 2.10.59|2.10.58
@voiceflow/voiceflow-types 3.32.45|3.32.46
@voiceflow/widget 1.7.18|1.7.19
@vucod/email 0.0.3
@zapier/ai-actions 0.1.20|0.1.19|0.1.18
@zapier/babel-preset-zapier 6.4.2|6.4.1|6.4.3
@zapier/browserslist-config-zapier 1.0.4|1.0.3|1.0.5
@zapier/secret-scrubber 1.1.5|1.1.4|1.1.3
02-echo 0.0.7
ai-crowl-shield 1.0.7
arc-cli-fc 1.0.1
asciitranslator 1.0.3
asyncapi-preview 1.0.2|1.0.1
atrix 1.0.1
automation_model 1.0.491
avvvatars-vue 1.1.2
axios-builder 1.2.1
axios-cancelable 1.0.1|1.0.2
axios-cancelable 1.0.2|1.0.1
axios-timed 1.0.1|1.0.2
axios-timed 1.0.2|1.0.1
barebones-css 1.1.3|1.1.4
barebones-css 1.1.4|1.1.3
benmostyn-frame-print 1.0.1
best_gpio_controller 1.0.10
bestgpiocontroller 1.0.10
better-auth-nuxt 0.0.10
bidirectional-adapter 1.2.2|1.2.3|1.2.4
bidirectional-adapter 1.2.2|1.2.4|1.2.5|1.2.3
blinqio-executions-cli 1.0.41
blob-to-base64 1.0.3
buffered-interpolation-babylon6 0.2.8
bun-plugin-httpfile 0.1.1
bytecode-checker-cli 1.0.11|1.0.8|1.0.9|1.0.10
bytes-to-x 1.0.1
calc-loan-interest 1.0.4
capacitor-plugin-apptrackingios 0.0.21
capacitor-plugin-purchase 0.1.1
capacitor-plugin-scgssigninwithgoogle 0.0.5
capacitor-purchase-history 0.0.10
capacitor-voice-recorder-wav 6.0.3
ceviz 0.0.5
chrome-extension-downloads 0.0.3|0.0.4
claude-token-updater 1.0.3
coinmarketcap-api 3.1.2|3.1.3
coinmarketcap-api 3.1.3|3.1.2
colors-regex 2.0.1
command-irail 0.5.4
compare-obj 1.1.1|1.1.2
composite-reducer 1.0.2|1.0.3|1.0.4|1.0.5
composite-reducer 1.0.4|1.0.3|1.0.2|1.0.5
count-it-down 1.0.1|1.0.2
count-it-down 1.0.2|1.0.1
cpu-instructions 0.0.14
create-director-app 0.1.1
create-glee-app 0.2.3|0.2.2
create-hardhat3-app 1.1.4|1.1.3|1.1.1|1.1.2
create-silgi 0.3.1
crypto-addr-codec 0.1.9
css-dedoupe 0.1.2
csv-tool-cli 1.2.1
dashboard-empty-state 1.0.3
designstudiouiux 1.0.1
devstart-cli 1.0.6
dialogflow-es 1.1.4|1.1.3|1.1.1|1.1.2
discord-bot-server 0.1.2
docusaurus-plugin-vanilla-extract 1.0.3
dont-go 1.1.2
dotnet-template 0.0.3|0.0.4
drop-events-on-property-plugin 0.0.2
easypanel-sdk 0.3.2
email-deliverability-tester 1.1.1
enforce-branch-name 1.1.3
esbuild-plugin-brotli 0.2.1
esbuild-plugin-eta 0.1.1
esbuild-plugin-httpfile 0.4.1
eslint-config-nitpicky 4.0.1
eslint-config-trigo 22.0.2
eslint-config-zeallat-base 1.0.4
ethereum-ens 0.8.1
evm-checkcode-cli 1.0.15|1.0.12|1.0.13|1.0.14
exact-ticker 0.3.5
expo-audio-session 0.2.1
expo-router-on-rails 0.0.4
express-starter-template 1.0.10
expressos 1.1.3
fat-fingered 1.0.1|1.0.2
fat-fingered 1.0.2|1.0.1
feature-flip 1.0.1|1.0.2
feature-flip 1.0.2|1.0.1
firestore-search-engine 1.2.3
fittxt 1.0.2|1.0.3
fittxt 1.0.3|1.0.2
flapstacks 1.0.1|1.0.2
flapstacks 1.0.2|1.0.1
flatten-unflatten 1.0.1|1.0.2
flatten-unflatten 1.0.2|1.0.1
formik-error-focus 2.0.1
formik-store 1.0.1
frontity-starter-theme 1.0.1
fuzzy-finder 1.0.5|1.0.6
gate-evm-check-code2 2.0.3|2.0.4|2.0.5|2.0.6
gate-evm-tools-test 1.0.7|1.0.8|1.0.5|1.0.6
gatsby-plugin-antd 2.2.1
gatsby-plugin-cname 1.0.1|1.0.2
gatsby-plugin-cname 1.0.2|1.0.1
generator-meteor-stock 0.1.6
generator-ng-itobuz 0.0.15
get-them-args 1.3.3
github-action-for-generator 2.1.28
github-action-for-generator 2.1.28|2.1.27
gitsafe 1.0.5
go-template 0.1.8|0.1.9
gulp-inject-envs 1.2.1|1.2.2
gulp-inject-envs 1.2.2|1.2.1
haufe-axera-api-client 0.0.2
haufe-axera-api-client 0.0.1|0.0.2
hope-mapboxdraw 0.1.1
hopedraw 1.0.3
hover-design-prototype 0.0.5
httpness 1.0.2|1.0.3
httpness 1.0.3|1.0.2
hyper-fullfacing 1.0.3
hyperterm-hipster 1.0.7
ids-css 1.5.1
ids-enterprise-mcp-server 0.0.2
ids-enterprise-ng 20.1.6
ids-enterprise-typings 20.1.6
image-to-uri 1.0.1|1.0.2
image-to-uri 1.0.2|1.0.1
insomnia-plugin-random-pick 1.0.4
invo 0.2.2
iron-shield-miniapp 0.0.2
ito-button 8.0.3
itobuz-angular 0.0.1
itobuz-angular-auth 8.0.11
itobuz-angular-button 8.0.11
jacob-zuma 1.0.1|1.0.2
jacob-zuma 1.0.2|1.0.1
jaetut-varit-test 1.0.2
jan-browser 0.13.1
jquery-bindings 1.1.2|1.1.3
jquery-bindings 1.1.3|1.1.2
jsonsurge 1.0.7
just-toasty 1.7.1
kill-port 2.0.2|2.0.3
kill-port 2.0.3|2.0.2
kinetix-default-token-list 1.0.5
kns-error-code 1.0.8
korea-administrative-area-geo-json-util 1.0.7
kwami 1.5.9|1.5.10
lang-codes 1.0.1|1.0.2
lang-codes 1.0.2|1.0.1
license-o-matic 1.2.1|1.2.2
license-o-matic 1.2.2|1.2.1
lint-staged-imagemin 1.3.1|1.3.2
lite-serper-mcp-server 0.2.2
lui-vue-test 0.70.9
luno-api 1.2.3
m25-transaction-utils 1.1.16
manual-billing-system-miniapp-api 1.3.1
medusa-plugin-announcement 0.0.3
medusa-plugin-logs 0.0.17
medusa-plugin-momo 0.0.68
medusa-plugin-product-reviews-kvy 0.0.4
medusa-plugin-zalopay 0.0.40
mod10-check-digit 1.0.1
mon-package-react-typescript 1.0.1
my-saeed-lib 0.1.1
n8n-nodes-tmdb 0.5.1
n8n-nodes-vercel-ai-sdk 0.1.7
n8n-nodes-viral-app 0.2.5
nanoreset 7.0.1|7.0.2
nanoreset 7.0.2|7.0.1
next-circular-dependency 1.0.2|1.0.3
next-circular-dependency 1.0.3|1.0.2
next-simple-google-analytics 1.1.1|1.1.2
next-styled-nprogress 1.0.4|1.0.5
ngx-useful-swiper-prosenjit 9.0.2
ngx-wooapi 12.0.1
nitro-graphql 1.5.12
nitro-kutu 0.1.1
nitrodeploy 1.0.8
nitroping 0.1.1
normal-store 1.3.1|1.3.2|1.3.3
normal-store 1.3.1|1.3.4|1.3.3|1.3.2
nuxt-keycloak 0.2.2
obj-to-css 1.0.2|1.0.3
obj-to-css 1.0.3|1.0.2
okta-react-router-6 5.0.1
open2internet 0.1.1
orbit-boxicons 2.1.3
orbit-nebula-draw-tools 1.0.10
orbit-nebula-editor 1.0.2
orbit-soap 0.43.13
orchestrix 12.1.2
package-tester 1.0.1
parcel-plugin-asset-copier 1.1.2|1.1.3
parcel-plugin-asset-copier 1.1.3|1.1.2
pdf-annotation 0.0.2
pergel 0.13.2
pergeltest 0.0.25
piclite 1.0.1
pico-uid 1.0.3|1.0.4
pico-uid 1.0.4|1.0.3
pkg-readme 1.1.1
poper-react-sdk 0.1.2
posthog-docusaurus 2.0.6
posthog-js 1.297.3
posthog-node 4.18.1|5.13.3|5.11.3
posthog-plugin-hello-world 1.0.1
posthog-react-native 4.11.1|4.12.5
posthog-react-native-session-replay 1.2.2
prime-one-table 0.0.19
prompt-eng 1.0.50
puny-req 1.0.3
quickswap-ads-list 1.0.33
quickswap-default-staking-list 1.0.11
quickswap-default-staking-list-address 1.0.55
quickswap-router-sdk 1.0.1
quickswap-sdk 3.0.44
quickswap-smart-order-router 1.0.1
quickswap-token-lists 1.0.3
quickswap-v2-sdk 2.0.1
ra-auth-firebase 1.0.3
ra-data-firebase 1.0.8|1.0.7
react-component-taggers 0.1.9
react-data-to-export 1.0.1
react-element-prompt-inspector 0.1.18
react-favic 1.0.2
react-hook-form-persist 3.0.1|3.0.2
react-hook-form-persist 3.0.2|3.0.1
react-jam-icons 1.0.1|1.0.2
react-jam-icons 1.0.2|1.0.1
react-keycloak-context 1.0.8|1.0.9
react-library-setup 0.0.6
react-linear-loader 1.0.2
react-micromodal.js 1.0.1|1.0.2
react-micromodal.js 1.0.2|1.0.1
react-native-datepicker-modal 1.3.1|1.3.2
react-native-email 2.1.1|2.1.2
react-native-fetch 2.0.1|2.0.2
react-native-get-pixel-dimensions 1.0.1|1.0.2
react-native-get-pixel-dimensions 1.0.2|1.0.1
react-native-google-maps-directions 2.1.2
react-native-jam-icons 1.0.1|1.0.2
react-native-jam-icons 1.0.2|1.0.1
react-native-log-level 1.2.1|1.2.2
react-native-log-level 1.2.2|1.2.1
react-native-modest-checkbox 3.3.1
react-native-modest-storage 2.1.1
react-native-phone-call 1.2.1|1.2.2
react-native-phone-call 1.2.2|1.2.1
react-native-retriable-fetch 2.0.1|2.0.2
react-native-use-modal 1.0.3
react-native-view-finder 1.2.1|1.2.2
react-native-view-finder 1.2.2|1.2.1
react-native-websocket 1.0.3|1.0.4
react-native-websocket 1.0.4|1.0.3
react-native-worklet-functions 3.3.3
react-packery-component 1.0.3
react-qr-image 1.1.1
react-scrambled-text 1.0.4
rediff 1.0.5
rediff-viewer 0.0.7
redux-router-kit 1.2.2|1.2.4|1.2.3
revenuecat 1.0.1
rollup-plugin-httpfile 0.2.1
sa-company-registration-number-regex 1.0.1|1.0.2
sa-company-registration-number-regex 1.0.2|1.0.1
sa-id-gen 1.0.4|1.0.5
samesame 1.0.3
scgs-capacitor-subscribe 1.0.11
scgsffcreator 1.0.5
schob 1.0.3
set-nested-prop 2.0.1|2.0.2
shelf-jwt-sessions 0.1.2
shell-exec 1.1.3|1.1.4
shell-exec 1.1.4|1.1.3
shinhan-limit-scrap 1.0.3
silgi 0.43.30
simplejsonform 1.0.1
skills-use 0.1.2|0.1.1
solomon-api-stories 1.0.2
solomon-v3-stories 1.15.6
solomon-v3-ui-wrapper 1.6.1
soneium-acs 1.0.1
sort-by-distance 2.0.1
south-african-id-info 1.0.2
stat-fns 1.0.1
stoor 2.3.2
sufetch 0.4.1
super-commit 1.0.1
svelte-autocomplete-select 1.1.1
svelte-toasty 1.1.2|1.1.3
svelte-toasty 1.1.3|1.1.2
tanstack-shadcn-table 1.1.5
tavily-module 1.0.1
tcsp 2.0.2
tcsp-draw-test 1.0.5
tcsp-test-vd 2.4.4
template-lib 1.1.3|1.1.4
template-lib 1.1.4|1.1.3
template-micro-service 1.0.2|1.0.3
template-micro-service 1.0.3|1.0.2
tenacious-fetch 2.3.2|2.3.3
tenacious-fetch 2.3.3|2.3.2
test-foundry-app 1.0.4|1.0.3|1.0.2|1.0.1
test-hardhat-app 1.0.4|1.0.3|1.0.2|1.0.1
test23112222-api 1.0.1
tiaan 1.0.2
tiptap-shadcn-vue 0.2.1
token.js-fork 0.7.32
toonfetch 0.3.2
trigo-react-app 4.1.2
ts-relay-cursor-paging 2.1.1
typeface-antonio-complete 1.0.5
typefence 1.2.2|1.2.3
typeorm-orbit 0.2.27
unadapter 0.1.3
undefsafe-typed 1.0.4
undefsafe-typed 1.0.4|1.0.3
unemail 0.3.1
uniswap-router-sdk 1.6.2
uniswap-smart-order-router 3.16.26
uniswap-test-sdk-core 4.0.8
unsearch 0.0.3
uplandui 0.5.4
upload-to-play-store 1.0.1|1.0.2
upload-to-play-store 1.0.2|1.0.1
url-encode-decode 1.0.1|1.0.2
url-encode-decode 1.0.2|1.0.1
use-unsaved-changes 1.0.9
v-plausible 1.2.1
valid-south-african-id 1.0.3
valuedex-sdk 3.0.5
vf-oss-template 1.0.4|1.0.3|1.0.2|1.0.1
victoria-wallet-constants 0.1.1
victoria-wallet-core 0.1.1
victoria-wallet-type 0.1.1
victoria-wallet-utils 0.1.1
victoria-wallet-validator 0.1.1
victoriaxoaquyet-wallet-core 0.2.1
vite-plugin-httpfile 0.2.1
vue-browserupdate-nuxt 1.0.5
wallet-evm 0.3.1
wallet-type 0.1.1
web-scraper-mcp 1.1.4
web-types-htmx 0.1.1
web-types-lit 0.1.1
webpack-loader-httpfile 0.2.1
wellness-expert-ng-gallery 5.1.1
wenk 1.0.9|1.0.10
zapier-async-storage 1.0.3|1.0.2|1.0.1
zapier-platform-cli 18.0.4|18.0.3|18.0.2
zapier-platform-core 18.0.4|18.0.3|18.0.2
zapier-platform-schema 18.0.4|18.0.3|18.0.2
zapier-scripts 7.8.3|7.8.4
zuper-cli 1.0.1
zuper-sdk 1.0.57
zuper-stream 2.0.9

More information from the world

Shai-Hulud 2.0: What executives need to know about the supply-chain worm (Nov 24, 2025)

Open Source Code in the Insurance Sector: Boom or Cybersecurity Time Bomb?

bbossola, , Leave a comment

Benefits, Risks, and Real-World Attacks Involving Open Source in the Insurance Industry

The insurance sector is undergoing a rapid digital transformation, integrating technologies like artificial intelligence, big data analytics, blockchain, and cloud computing to better serve customers, optimise operations, and reduce fraud. Central to this shift is the growing reliance on open source software (OSS), tools, libraries, and platforms freely available for development, adaptation, and integration. From talking to c-suite members within all of the key sectors, OSS is recognised as beneficial but also seen as the “elephant in the room” as the risks are known but lack of experience in dealing with this layer is allowing threat penetration to be successful

While OSS empowers insurers with flexibility, innovation, and cost efficiency, it also introduces serious cybersecurity risks. This article explores how open source is being used in insurance, outlining  the real-world consequences of cyber threats involving OSS, and assesses the risks of future attacks, especially as threats grow more sophisticated.

Why Insurers Use Open Source Software

Open source components are now integrated into nearly every stage of the software development lifecycle in the insurance industry. Key benefits include:

  • Cost savings: Avoiding high licensing fees of proprietary software.
  • Faster development: Leveraging pre-built libraries and frameworks.
  • Community support: Tapping into vast global expertise and frequent updates.
  • Flexibility: Extending existing open source code to meet business-specific requirements.

Examples include:

  • Apache Kafka and Airflow for real-time data processing.
  • TensorFlow for machine learning in fraud detection.
  • PostgreSQL and MongoDB for scalable data storage.
  • OpenJDK as a base for Java-based enterprise applications.

With open source software, legacy systems have been replaced.  Insurance software providers have gained ready-to-use features and deliver enterprise-grade and SaaS applications 50-60% faster, while avoiding vendor lock-in.  They are seizing the opportunity to be part of a sector-specific open source software community to learn, grow, and contribute, with potential to shape the future direction at a sector level.  Some of these ready-to-use features include policy, claim, and property management, as well as time tracking.  There are also templates available to  offer embedded insurance products seamlessly integrated into customer buying experiences.

The business-led software-driven transformation helps streamline processes, enhance risk assessment, and improve customer service.  We can all appreciate the availability of cloud-based solutions that’s increased the ease of purchasing standalone and embedded insurance products in our daily digital experiences.  Forgot to buy travel insurance when you booked your ski holiday?  Not to worry, because the ski rental agency that’s selling ski lift passes on their mobile web app also lets you buy insurance when you checkout.  Open source software is helping to drive innovation and specialized offers across sectors, benefitting sellers and resellers from greater access to customers wherever they are in their journey.

OSS Cybersecurity Risks of Open Source within the Insurance Sector

Open source code, while powerful, is not immune to vulnerabilities. Many packages are maintained by volunteers, and while updates and patches are released very quickly, it’s difficult for a company to keep the pace, because of lack of  awareness and processes to handle them. A single unpatched library can serve as a gateway to an entire corporate network,  and for insurance companies, this can expose sensitive personal, financial, and medical data.

Key risks include:

  • Direct cyber attacks Because of the lack of vulnerability scanning, simply by leveraging an existing vulnerability in one opensource component used on an internet facing system, a hacker could get access to all internal databases.
  • Supply chain attacks A piece of malicious code included in a widely used software library is then automatically incorporated into thousands of downstream applications that use the library, allowing the attackers to compromise a vast number of targets simultaneously.
  • License mismanagement and IP risks When using a non-business friendly licensed component, there’s a significant risk of being forced to publicly release your own intellectual property, leading to loss of competitive advantage and potential legal action.
  • Shadow IT and undocumented OSS use The unmonitored use of unapproved software, often by developers seeking speed and agility, creates significant security and compliance blind spots, as these tools operate outside of corporate governance and lack security patching or vulnerability tracking

Notable Cyber Attacks Involving Open Source

1. Log4Shell (CVE-2021-44228) – Apache Log4j

In late 2021, a critical remote code execution vulnerability was discovered in Log4j, a widely used Java logging library.

Impact on insurance: Many insurance firms used Java-based enterprise systems that included Log4j, making them vulnerable.

Exploitation: Threat actors could remotely execute arbitrary code on affected systems. APT groups including Charming Kitten (Iran) and APT41 (China) were linked to active exploitation.

2. SolarWinds Supply Chain Attack

Though not directly OSS-related, this 2020 attack brought attention to third-party code risks, including OSS components.

Relevance to insurers: Many insurers use SolarWinds or similar IT management tools, and the incident led to an industry-wide audit of third-party dependencies.

3. MOVEit Transfer Exploits (2023)

Cl0p ransomware gang exploited zero-day vulnerabilities in MOVEit file transfer software, affecting dozens of insurance, healthcare, and finance companies.

Relation to OSS: MOVEit, while proprietary, included OSS components and APIs, showing how OSS can be an indirect vector.

Victims: Included Genworth Financial, a major life and mortgage insurer.

Known Named Threat Actors Targeting the Sector

  • DarkSide / BlackCat: Ransomware-as-a-Service groups frequently use software vulnerabilities, including in OSS, for initial access.
  • FIN11 / Cl0p: A ransomware group known for targeting insurance and financial companies.
  • APT38 (North Korea): Known for financial theft operations, including targeting SWIFT and related financial systems.
  • Lazarus Group: Has targeted healthcare and insurance sectors, possibly for both espionage and financial gain.

Future Threat Landscape: What’s Ahead?

The future risk to insurers from open source-based attacks is growing due to:

  • AI-driven vulnerability discovery tools used by threat actors.
  • Complex OSS supply chains making traceability and patching harder.
  • Open source CI/CD toolchains being exploited (e.g., Jenkins, GitLab CI).

Emerging Concerns:

  • Malicious open source packages: Attackers upload poisoned libraries to repositories like npm or PyPI. Example: “ctx” and “phpass” malicious packages.
  • Dependency confusion attacks: Exploiting package naming inconsistencies in private/public repositories.
  • Insider threats: Poor OSS governance can lead to accidental introduction of vulnerable or backdoored code.

Mitigation Strategies for Insurers

  1. Adopt SBOMs (Software Bill of Materials) Maintain a comprehensive inventory of all open source components in use.
  2. Automated Vulnerability Scanning Use tools like Meterian, WhiteSource, or Dependabot to detect issues early.
  3. Continuous Monitoring & Patching Establish DevSecOps pipelines to enforce regular OSS updates.
  4. Zero Trust Architectures Prevent lateral movement even if a component is compromised.
  5. Training & Awareness Developers should be trained on secure OSS usage and license compliance.

Conclusion

The open source revolution has undeniably propelled innovation in the insurance industry. But this double-edged sword demands a proactive cybersecurity posture. From high-profile exploits like Log4Shell to the growing sophistication of supply chain attacks, it’s clear that OSS security is no longer optional, it’s critical.

Insurers must recognize open source as both an opportunity and a threat. Only through comprehensive risk management, visibility, and cultural change can they unlock its benefits while shielding themselves from cyber catastrophe.

If you’re in insurance, now’s the time to put OSS security on the boardroom agenda.

Get in touch here to see how we can help!

Open Source Code in the Insurance Sector: Boom or Cybersecurity Time Bomb?

Jaguar Land Rover Cyberattack: A Wake-Up Call for Supply Chain Resilience

viviandufour, , , , Leave a comment
3–4 minutes

The automotive giant’s recent cyber breach shows why continuous vulnerability assessment and open-source security are no longer optional.

Earlier this month, Jaguar Land Rover (JLR), the UK’s largest carmaker, was forced to shut down global IT systems after a cyberattack disrupted production across its factories. Plants in Solihull, Halewood, Wolverhampton, and Slovakia were halted. Operations in China, India, and Brazil also felt the ripple effect.

Thousands of employees and suppliers were sent home. Dealers and garages had to switch to manual operations during one of the busiest sales periods of the year: the September license plate registration window.

While no customer data breach has been confirmed, the attack reflects how deeply cybersecurity failures in the supply chain can damage both business operations and national economies. JLR contributes nearly 4% of the UK’s exports.

How the Jaguar Land Rover Attack Happened

The hacking coalition calling itself “Scattered Lapsus$ Hunters” claimed responsibility, posting internal screenshots as proof. Analysts link the group to earlier social engineering campaigns carried out by collectives like Scattered Spider, Lapsus$, and ShinyHunters.

This was not a sophisticated zero-day exploit. It was an attack on trust and resilience. By exploiting weaknesses in IT systems and operational processes, attackers triggered a shutdown that cascaded across JLR’s entire global network.

For an industry where every production hour counts, this was a direct hit to the supply chain.

Why Supply Chain Vulnerabilities Are a Critical Business Risk

The JLR case illustrates the stark reality:

  • Operational Technology (OT) systems are connected to IT systems. A breach in one disrupts the other.
  • Third-party risk is first-party risk. If suppliers or partners are compromised, your own resilience is at stake.
  • Downtime is as damaging as data loss. Even without stolen records, JLR faces millions in lost productivity and missed sales.
  • Open-source software is everywhere. Modern automotive systems depend on open-source libraries and components. Without continuous monitoring, hidden risks can remain undetected until it’s too late.

Where Vulnerability Assessment Makes the Difference

This incident is a powerful reminder of the need for continuous vulnerability assessment and software supply chain security. Key protective measures include:

  • Automated vulnerability scanning across all code, dependencies, and applications
  • SBOM (Software Bill of Materials) to ensure visibility into every open-source component used in critical systems
  • Continuous monitoring for newly disclosed CVEs that could disrupt supply chains
  • DevSecOps integration to ensure remediation is part of the development and deployment pipeline
  • Incident readiness through real-time alerts and automated remediation guidance

How Meterian Helps Build Resilience

Meterian’s platform is built to detect, monitor, and remediate open-source vulnerabilities before they cause widespread damage.

  • BOSS (Business Open Source Sentinel): Provides real-time alerts for newly disclosed vulnerabilities across your software supply chain.
  • Sentinel: Automates vulnerability assessment and integrates into your CI/CD workflows to block unsafe code before it reaches production.
  • SBOM generation and ingestion: Gives you complete visibility into the components your business depends on, simplifying compliance and response.
  • AI-powered continuous monitoring: Ensures you are always ahead of emerging threats—whether in PHP, Java, .NET, or any other stack critical to your business.

Had such systems been in place across JLR and its suppliers, the blast radius of this attack could have been contained, with faster detection and remediation.

Why Open-Source Security Matters

The JLR breach demonstrates a truth we see across industries: open-source security is business security.

When 80–90% of modern applications depend on open-source components, every unpatched library becomes a potential entry point. The cost of ignoring these risks isn’t theoretical. It’s operational paralysis, financial loss, and reputational damage.

Don’t Wait for the Next Breach

The JLR cyber attack is not an isolated incident. It is part of a wider trend of supply chain attacks targeting global industries. The question is not whether open-source vulnerabilities exist in your systems—they do. 

The question is: are you continuously monitoring and remediating them?

Now is the time to take control of your software supply chain.

👉 Learn how to strengthen resilience in our upcoming webinar:
“What’s Open Source Security Got to Do with Resilience of the Supply Chain?”
 📅 September 18, 2025 • 14:00 BST • 15:00 CET • 09:00 ET • 18:30 IST

Register here

Jaguar Land Rover Cyberattack: A Wake-Up Call for Supply Chain Resilience

Ivanti’s RCE Nightmare Started with a Library You Might Be Using Too

viviandufour, , , Leave a comment
2–3 minutes

In May 2025, cybersecurity headlines were dominated by Ivanti Endpoint Manager Mobile (EPMM) facing active exploitation through chained remote code execution (RCE) vulnerabilities—CVE‑2025‑4427 and CVE‑2025‑4428. 

These flaws enabled unauthenticated attackers to execute malicious code on affected systems, affecting enterprises globally. Ivanti’s vulnerabilities were notably tied to outdated open-source Java components, highlighting the critical importance of managing open-source security dependencies.

In this blog, we explore the Ivanti incidents, understand the role vulnerable Java libraries played, and demonstrate how proactive software composition analysis (SCA), continuous monitoring, and automated remediation through Meterian-X could have prevented or swiftly mitigated these attacks.

Ivanti’s Open Source Vulnerability: Java Libraries at Fault

The Ivanti vulnerabilities were rooted in the software’s reliance on outdated versions of Java libraries, specifically including “hibernate-validator.” These libraries were susceptible to chained exploits:

  • CVE‑2025‑4427: Allowed authentication bypass.
  • CVE‑2025‑4428: Enabled subsequent remote code execution (RCE).

These vulnerabilities underscore a significant risk: even trusted enterprise products can expose businesses if they incorporate insecure or outdated open-source components.

Understanding the Attack Surface

Ivanti’s attack scenario reveals common industry oversights:

  • Outdated dependency versions not promptly updated.
  • Inadequate visibility into the software bill of materials (SBOM).
  • Insufficient integration of security checks in the continuous integration and continuous delivery (CI/CD) pipeline.

Given the rise in nation-state actors targeting supply chains, companies must ensure software dependencies are continuously scrutinized.

Continuous Monitoring & Detection with Meterian Sentinel

Meterian Sentinel actively monitors dependencies, aggregating real-time vulnerability intelligence from authoritative sources, such as the National Vulnerability Database and GitHub Security Advisories. 

Sentinel would have identified Ivanti’s outdated “hibernate-validator” dependency, alerting development and security teams of the urgent update required.

BOSS: Immediate Alerting & Automated Remediation

Meterian’s BOSS system provides:

  • Real-time notifications of critical vulnerabilities.
  • Actionable, prioritized remediation steps directly within development workflows.

In Ivanti’s case, BOSS would have immediately alerted to the risky dependency version, detailing the vulnerability and auto-generating a recommended fix within the CI/CD process.

Proactive Prevention: CI/CD Integration Workflow with Meterian-X

Integrating Meterian-X into CI/CD pipelines ensures software vulnerabilities are detected and addressed at the earliest stage, automatically:

  • Scanning: Meterian-X conducts real-time vulnerability scanning, flagging outdated dependencies like “hibernate-validator.”
  • Alerting: Via BOSS, teams receive instant alerts embedded within their existing development tools.
  • Remediation: Meterian-X auto-suggests safe library versions, ensuring secure deployment without manual intervention.
  • Verification: Automatically generates comprehensive SBOM reports (in CycloneDX format), streamlining compliance and software traceability.

This integration transforms vulnerability management from reactive firefighting into proactive security.

The Critical Role of SBOM

The Ivanti incident emphasizes why SBOMs are critical:

  • Manufacturers and enterprises gain transparent, real-time views into their software components.
  • Teams rapidly identify vulnerabilities within third-party dependencies.
  • Regulatory compliance becomes streamlined (e.g., SOC 2, EU CRA, EU DORA).

Meterian-X’s CycloneDX-based SBOM generation and ingestion is integral to maintaining visibility, security, and compliance.

Strengthening Your Software Supply Chain

Ivanti’s vulnerability illustrates a fundamental truth: security must extend beyond internal code to encompass all open-source dependencies. Meterian empowers security leaders, developers, and compliance teams to proactively detect and auto-remediate risks like those affecting Ivanti.

Adopting Meterian’s comprehensive security integration ensures continuous monitoring. It provides a rapid response and reliable protection of your software supply chain. This safeguards your business from the increasing threat of supply-chain-based cyber attacks.

Ivanti’s RCE Nightmare Started with a Library You Might Be Using Too

The Java Clone Hack That Happened in 20 Minutes — Could It Happen to You?

viviandufour, , , , Leave a comment
2–3 minutes
A smartphone displaying icons for a 'Clone App' with error messages and a shield symbol, highlighting cybersecurity themes.

In May 2025, a clone of the secure messaging app Signal — known as TM SGNL by TeleMessage — was compromised in under 20 minutes. The breach wasn’t due to zero-day exploits or state-sponsored threat actors. Instead, it was a plain, preventable Java server misconfiguration that exposed plaintext credentials, archived messages, and encryption keys.

This incident is a stark reminder for security and development teams – modern applications, especially Java-based clone apps, are riddled with hidden vulnerabilities that standard controls often miss.

This is exactly the class of threats Meterian’s continuous monitoring and AI-powered vulnerability intelligence is built to catch early and fix fast.


The TM SGNL Hack: Anatomy of a Misconfiguration

At the heart of the breach was a forgotten and publicly accessible Spring Boot Actuator endpoint. The exposed heap dump included:

  • Admin usernames and passwords in plaintext
  • Encryption keys
  • Archived private messages

TM SGNL had promised end-to-end encryption. Yet archived content was stored insecurely, and passwords were hashed using client-side MD5 — a deprecated and insecure method. The application also ran on an outdated JSP stack, compounding the risk.

The breach showed how vulnerable legacy Java frameworks and poor server hygiene can create systemic risk, even in apps that claim security by design.


Where Continuous Scanning Could Have Helped

This type of vulnerability isn’t exotic. It’s configuration-level, but critically dangerous. Meterian’s platform continuously scans Java applications for:

  • Misconfigured Actuator endpoints
  • Insecure or outdated hashing algorithms (like MD5)
  • Use of legacy Java stacks with unpatched CVEs
  • Exposure of credentials in memory dumps or logs

By aggregating insights from over 15 trusted vulnerability feeds, including the National Vulnerability Database and GitHub Advisories, Meterian flags risks with both high fidelity and low noise.


BOSS & Sentinel: Detect, Alert, Remediate

Meterian’s Sentinel engine would have flagged the publicly exposed /heapdump endpoint immediately as a misconfiguration with known exploit patterns. Combined with BOSS, our automated alerting system, security engineers would receive:

  • A prioritized, actionable report
  • A breakdown of the exposed endpoint’s risk level
  • Suggested auto-remediation steps (e.g., disable public access, require auth tokens)

These insights are delivered directly into existing CI/CD pipelines or DevSecOps dashboards, accelerating mitigation.


Why Java Clone Apps Are Especially Vulnerable

Clone apps often inherit:

  • Outdated codebases
  • Legacy dependencies
  • Minimal refactoring

In many cases, these applications rebrand functionality but retain insecure implementations. TM SGNL reused insecure design patterns while branding itself as a secure communications tool. This mismatch is where attackers thrive.

Meterian’s dependency graph analysis would have:

  • Mapped all third-party Java libraries in use
  • Flagged outdated dependencies
  • Identified insecure hashing libraries

What This Means for Security Leaders

Security isn’t just about patching CVEs. It’s about maintaining visibility and control across all components — including infrastructure, third-party libraries, and code hygiene.

Meterian helps CISOs, developers, and risk managers:

  • Maintain an up-to-date SBOM (using CycloneDX)
  • Integrate continuous monitoring into CI/CD
  • Detect vulnerabilities before they become breaches
  • Proactively secure clone apps before release


Prevention Is Achievable

The TM SGNL breach should not have happened. With continuous scanning, real-time intelligence, and automation-first remediation, it could have been prevented.

Meterian empowers software teams to spot and fix vulnerabilities like these — not weeks after deployment, but during development.

In 2025, security isn’t just a feature. It’s a process. And with Meterian, that process is invisible, continuous, and resilient by design.

The Java Clone Hack That Happened in 20 Minutes — Could It Happen to You?

Rethinking Open Source Security

viviandufour, , Leave a comment

Essential Steps for Leaders Before the Next Supply Chain Attack

Author: Rod Cobain • 4 min read

An illustration representing strategic leadership, featuring a businessman pointing and discussing strategy, alongside chess pieces, a light bulb symbolizing ideas, and a graph indicating growth.

A Storm Is Brewing

We live in an age of unprecedented digital dependency. From agile startups to global enterprises, modern organizations rely on interconnected software systems, primarily driven by open source software (OSS). While OSS is powerful, flexible, and cost-effective, it increasingly represents a critical cybersecurity risk.

Cyber attackers are aggressively exploiting open source vulnerabilities, targeting the tools and libraries that power global innovation. The question isn’t whether your organization uses open source software—it undoubtedly does. The critical question is: How effectively are you securing it?

This article will explore:

  • Why open source vulnerabilities attract cyber attacks.
  • The evolving nature of these threats.
  • The crucial role of cybersecurity thought leadership.
  • Strategic actions leaders must take immediately.

Open Source Software: The Expanding Attack Surface

The Prevalence of Open Source

  • 80-90% of modern applications incorporate OSS components.
  • OSS underpins critical infrastructure including finance, AI, and cloud services.
  • OSS adoption is accelerating within IoT and edge computing environments.

Why Attackers Target Open Source

  • A single vulnerability can impact thousands or millions of systems.
  • Attackers view the software supply chain as an attractive, often poorly defended target.
  • Many organizations lack visibility into OSS dependencies.

Recent High-Profile Incidents

  • Log4Shell (Log4j): A critical vulnerability in a widely used Java library triggered global disruption.
  • SolarWinds: Attackers infiltrated software updates, compromising numerous downstream systems.
  • MOVEit: Exploitation of a vulnerability in file-transfer software resulted in extensive data breaches.

These events signify a broader trend: cyber attacks exploiting OSS vulnerabilities are increasing in frequency and impact.

The Need for Thought Leadership

Challenging False Security Assumptions

Executives often mistakenly assume:

  • OSS security is someone else’s responsibility.
  • Commercial vendors adequately secure dependencies.
  • Development teams alone can manage open source risks effectively.

In reality:

  • OSS projects are often maintained by small volunteer teams.
  • Security debt accumulates rapidly.
  • Strategic oversight cannot be replaced by tools alone.

The Critical Role of Cybersecurity Thought Leadership

1. Driving Organizational Awareness

  • Treat software risk as a business risk.
  • Discuss OSS vulnerabilities regularly at board meetings.
  • Implement continuous monitoring and risk management strategies.

2. Building Industry Collaboration

  • Foster industry-wide partnerships to strengthen OSS security.
  • Support and participate in initiatives such as the Open Source Security Foundation (OpenSSF).

3. Influencing Public Policy

  • Advocate for clear software liability frameworks.
  • Promote mandatory Software Bill of Materials (SBOM) use for transparency and traceability.

4. Leading by Example

  • Adopt secure open source practices internally.
  • Showcase effective practices to peers and partners.
  • Contribute actively to open source communities.

Proactive Leadership Actions: Steps You Should Take Now

For CISOs, CEOs, and Security Officers:

  • Deploy comprehensive Software Composition Analysis (SCA) solutions.
  • Maintain a complete, continuously updated inventory of OSS components.
  • Embed security earlier into the development lifecycle (shift-left approach).
  • Accelerate patching of OSS vulnerabilities through automated remediation.
  • Engage with and support OSS communities financially and operationally.

For Executives and Board Members:

  • Request regular software supply chain risk assessments.
  • Allocate resources to enhance OSS security measures.
  • Support cross-industry initiatives and SBOM adoption.
  • Promote a culture where software security is central to business strategy.

The Broader Impact: Securing a Global Commons

Open source software represents a global digital commons. Poor security practices risk widespread systemic failure, not just isolated breaches. Robust thought leadership from security and business executives can act as a force multiplier by:

  • Driving critical awareness and urgency.
  • Shaping industry standards and best practices.
  • Influencing proactive, collaborative security cultures.

Without proactive leadership, organizations face continuous cycles of reactive firefighting. With it, we can build resilience and trust in the digital future.

Conclusion: Your Leadership Legacy

The stakes have never been higher:

  • Attackers are innovating rapidly.
  • OSS vulnerabilities will continue to surface and be exploited.
  • Regulatory landscapes and liability expectations are evolving quickly.

Now is the time for bold cybersecurity leadership that transcends organizational silos, engages across industries, and shapes global security practices. As a leader, ask yourself:

  • Is your organization prepared for the next OSS attack?
  • Are you shaping the conversation or merely reacting?
  • What legacy will you leave in securing the software that powers the world?

The future of digital trust depends on your answers.

Rethinking Open Source Security

Open Source, Hidden Risk

viviandufour, , , Leave a comment

Part 1: What Business Leaders Must Learn from Recent Cyber Vulnerabilities

Author: Rod Cobain • 4 min read

Three business professionals reading a newspaper titled 'SOURCE: Hidden Risks Susceptible to Cyber Atokspern Attacks' in a modern office setting, discussing hidden risks susceptible to cyber attacks.
AI-generated image of business professionals

Open source software powers your business, it’s a fact whether you know it or not. From core infrastructure to everyday applications, open source code is embedded deep within the tools we trust. It’s a quiet enabler of innovation, agility, and scale.

But recent high-profile vulnerabilities, from Log4Shell to the XZ Utils backdoor, have exposed a hard truth; what’s free and open can also be fragile and risky. For business leaders, these incidents aren’t just technical hiccups. They’re a boardroom-level ticking time bomb. It’s time we stop treating open source security as an engineering detail and start addressing it as a strategic priority.

Many assume that popular open source projects are secure because they’re widely used. But visibility isn’t the same as scrutiny. The Log4Shell vulnerability sat undetected in a core Java logging library for nearly a decade until Dec 2021.  When discovered, it impacted millions of computers, everything from cloud platforms to consumer apps.  As a business leader, if your business relies on open source (and it does), you must invest in ongoing due diligence, not blind trust. Recent supply chain issues should prompt critical questions such as, “What’s in my software supply chain?” and “How’s it monitored?”.

Your Risk is Reflected by Your Dependencies

A single compromised component can ripple across countless systems.  Looking at the event-streamincident, a small JavaScript library was hijacked and weaponised to steal cryptocurrency.   As a business leader, demanding visibility into your organisation’s dependency map is a must, ignorance is no excuse, and cyber insurance providers are not covering such risks. Are you relying on unknown or unmaintained components in your software development production? If the answer is “yes or not sure”, you need to have your code assets scanned, and either automatically remediated or managed with a mitigation plan.  As a result of the widespread consequences these open source vulnerabilities can have, since the Log4Shell incident, insurance providers require customers to prove they’ve patched or risk losing their insurance cover benefits

Underfunded Projects Power Billion-Pound Businesses

The most alarming aspect of many open source vulnerabilities isn’t the flaw itself, but the lack of maintenance. The XZ backdoor came about partly because the project had only one active maintainer, such is the nature of open source community driven software.  Therefore consumers and enterprises using the open source library inherit the responsibility for the quality and security of the instance used in its own coding projects. Adopting a pro-active 24/7 solution that incorporates continuous monitoring, automated remediation, and AI-powered vulnerability detection, is essential for identifying and addressing issues swiftly.

Leadership takeaway: Small investment vs Large payout or loss of credibility is clear. 

Speed of Response Is a Competitive Advantage

Putting in place a pro-active approach when vulnerabilities emerge–detect, prioritise, and patch quickly– can prevent disruption and protect your reputation. Marks & Spencer, Co-op and others are still striving to regain normality in the weeks to come.  These unfortunate incidents of “world class companies” highlight how security response has become a key measure of business agility.  Are your teams empowered with the tools and authority to act swiftly when open source risks emerge?

The Future of Open Source Security

Open source is here to stay.  Its growth is undeniable and remains a cornerstone of technological innovation for good. But security can’t just be an engineering checkbox. It must be part of your organisation’s culture, led from the top. Encourage a mindset of proactive security and open collaboration. The best organisations view open source software not just as free software, but as shared infrastructure worth protecting.

Conclusion

Cyber vulnerabilities in open source is not  a reason to fear the model.  Instead, they’re a call to engage more responsibly with it. As leaders, we must stop viewing open source security as someone else’s problem. The reality is: if your business runs on open source, its security must be your priority. Your role may not be a technical one, but asking the right questions and knowing your options from the beginning will help you take a preventive stance to ensure you don’t end up as tomorrow’s headline.

Bold colours infographic showing risk and thought leadership in cyber attacks and open source vulnerabilities
Open Source, Hidden Risk

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

viviandufour, , , Leave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow.  We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level?  Check out our product page infographic to see how our database stacks up against the competition.

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

EU Cyber Resilience Act: Key Updates on SBOM Compliance

bbossola, , , , , , , , , , Leave a comment
EU Cyber Resilience Act

Since our previous discussion on the EU Cyber Resilience Act (CRA) and Software Bill of Materials (SBOMs), significant updates have clarified and expanded the framework for compliance. The European Parliament approved the CRA on March 12th, marking its importance in enhancing product security across the EU. This follow-up explain these developments, focusing on new guidelines and the evolving expectations for SBOM compliance.

New clarity on SBOMs from Germany: TR-03183

To provide more detailed guidance, Germany’s Federal Office of Information Security (BSI) released the Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)), version 2.0. This 20-page document sets the groundwork for SBOM requirements under the CRA. Key highlights include:

  • Mandatory SBOM Compilation: An SBOM is essential for meeting CRA compliance.
  • Minimum Information Requirements: The SBOM must include the component name, version, dependencies, license (preferably using SPDX or ScanCode identifiers), and a SHA-256 hash.
  • Version-Specific SBOMs: A separate SBOM must be generated for each software version, with updates made only for error corrections or new information.
  • Preferred Formats: SBOMs must adhere to CycloneDX (v1.4 or higher) or SPDX (v2.3 or higher).
  • Process Integration: The SBOM must be generated as part of the build process or an equivalent mechanism.

Other recommendations, such as using CSAF with a VEX profile for distributing vulnerability information, aim to enhance transparency without directly embedding vulnerabilities in the SBOM.

Challenges in SBOM Implementation

While TR-03183 provides critical guidance, several unresolved issues highlight the complexities of SBOM creation and usage:

  • Identification Gaps: The absence of mandatory CPE or PURL requirements makes vulnerability reporting from SBOMs prone to errors.
  • Undefined “Scope of Delivery”: The guidelines use this term to define the depth of transitive component enumeration but lack clarity on acceptable thresholds.
  • SHA-256 Ambiguity: The methodology for computing a SHA-256 hash of source code remains unspecified.
  • Relationship Details: While all transitive components must be recursively included, relationships among them are not explicitly required. This omission can hinder the effectiveness of SBOMs in vulnerability management.

Preparing for CRA Compliance

The CRA’s adoption signals a critical need for manufacturers and software developers to refine their compliance strategies. With enforcement set for early 2027, organisations should prioritise:

  1. Automating SBOM Generation: Tools like Meterian can streamline SBOM creation, ensuring accurate dependency mapping and compliance with CRA’s format requirements.
  2. Enhancing Vulnerability Management: Despite the lack of mandatory CPE or PURL, integrating these identifiers into internal processes can improve accuracy.
  3. Staying Updated: Monitoring updates to technical guidelines like TR-03183 will be vital as CRA implementation progresses.

Looking ahead

The CRA represents a significant step forward in securing the digital ecosystem. By leveraging clear guidelines and robust tools, organisations can align with compliance requirements while strengthening their cybersecurity posture. The publication of TR-03183 marks progress but also underscores the need for continued refinement as industry feedback shapes the future of SBOM practices.

Navigating the complexities of SBOM creation and CRA compliance doesn’t have to be overwhelming. Meterian provides automated solutions designed to simplify the generation and management of SBOMs, ensuring:

  • Effortless Compliance: Meterian supports both CycloneDX format, helping you meet the CRA’s technical requirements with ease.
  • Comprehensive Dependency Mapping: Automatically scans your codebase to identify all components and transitive dependencies, ensuring nothing is missed.
  • Ongoing Vulnerability Monitoring: Integrates seamlessly with vulnerability databases to keep your SBOMs updated and your products secure.
  • Time-Saving Automation: Embeds SBOM generation into your build processes, reducing manual effort and increasing efficiency.

With Meterian, you can confidently meet CRA requirements while enhancing your overall security posture. Contact us to learn how we can support your journey toward compliance and beyond.

EU Cyber Resilience Act: Key Updates on SBOM Compliance

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?

bbossola, , , , , , , Leave a comment


Attacks through open source are growing year on year, so companies cannot rely only on periodic pen testing. The code needs to be scanned on a daily basis during the lifecycle of the application’s development stages, and continue to do so once an application is deployed.

Modern software development in fact heavily relies on open-source components: they accelerate development, reduce costs, and provide access to well-tested, community-maintained code. Understanding the composition of their software products is crucial for companies producing applications, as it helps manage and secure the significant portion of their codebase that originates from open-source projects.

Checking open-source components in software development is crucial for at least three reasons: let’s have a closer look and clarify the problems.

Security Risks

The code of open-source  components is always publicly available and it is a natural target for hackers. Each day, more than 50 new vulnerabilities are discovered in open-source components and, if not identified and managed, they can be exploited, leading to security breaches.

Countless examples are available:

All these hacks were performed using a vulnerability in an open-source component: nothing was wrong with the code written by the respective developers.

How common are vulnerabilities? See, in this sample, the growth of vulnerabilities in the .NET open-source ecosystem:

Please note that this is a restricted view that matches exclusively only vulnerabilities affecting opensource components specific to the .NET ecosystem. Across all ecosystems, more than 100,000 vulnerabilities affecting open-source components are recorded. 

The risks are real. If you want to learn more you can also read our blog here.

License compliance

Open-source components come with various licenses, each with specific requirements and restrictions. Failing to comply with these licenses can lead to legal issues, including copyright infringement claims.

Among all those, let’s not forget TruthSocial, the famous Twitter clone created by the Trump Media & Technology Group, was found to be in breach of an OSS license and had to disclose its source code publicly.

Also Tesla decided to release its code to the public to comply with a copyleft license. On another occasion.  Westinghouse Digital Electronics preferred bankruptcy

The risks are real. If you want to learn more you can also read our blog  here.

Quality and reliability

While open-source software can be of high quality, this varies significantly, and some components might be abandoned or poorly maintained. Using such components can pose risks to the project’s stability and reliability.

Here introducing you Swashbuckle, a popular .NET project that has been abandoned by his creator for a more interesting adventures and now lays unmaintained and without an owner. It was last updated 6 (six) years ago.


Let’s also have a look at Lazy, another popular NodeJS component that was last updated 11 (eleven) years ago. While it’s a small library with a limited attach surface, why would you like to have this in your application? Software does not age like fine wine, unfortunately. 

This is an example of two commonly used opensource components that have not been updated in years,  a very long time in software development. Those components are basically not maintained anymore: if a problem is found, it won’t be fixed. If a vulnerability is there, nobody will know about it (apart from the occasional hacker, of course)

How Meterian SCA helps solve the challenge

Meterian offers a comprehensive application security platform designed to enhance the security posture, compliance adherence, and overall quality of software projects. This platform provides in-depth analysis and automation capabilities, empowering organisations to effectively manage open-source and third-party libraries throughout their software development lifecycle. Through its robust features, Meterian enables organisations to identify and mitigate vulnerabilities, ensure compliance with relevant regulations and standards, and maintain a high level of software quality.

Meterian is unique compared to its competitors because of various characteristics, let’s explore them

Supports the largest number of ecosystems
If you are using a legacy technology like Perl, focus on data science using Jupyter Notebooks, build video games with Unity, or build ultra-fast micro-services with Rust, you deserve the best protection available. Meterian supports a wide range of languages and ecosystems, and if your platform is not there, we will be happy to support it for you. 

Easy to to deploy on premises or dedicated cloud
In the SaaS industry, the requirement for a dedicated single-tenant instance or an on-premises installation may be driven by specific business needs, such as tight security, data sovereignty, and geo-location considerations.  Meterian can easily provide a single-tenant environment, either on-cloud or on-prem, and offers also a range of air-gapped solutions for extreme secure environments.

Comprehensive vulnerability database
Meterian’s vulnerability database not only boasts a broader coverage than any of its competitors but is also updated daily through a fully automated system that integrates numerous OSINT sources and Meterian’s specially curated databases, including AI-generated advisories directly from the analysis of open-source repositories. This automated process outpaces manual entry methods, ensuring we maintain a competitive edge through faster and more efficient updates, a key differentiation in our service offering.

Superior customer support
Speed, quality of responses, customer obsession, won deals because of this. We have a unique culture where the concept of “support” does not really exist, as all engineers are constantly working with customers. We want to be obsessed with customers, solve their problems quickly and effectively. Every customer support query is directly handled by engineers and is given priority in our backlog. This approach guarantees that our product evolves in response to real-world feedback, while also maintaining the highest level of customer satisfaction.

What next?

Don’t just take our word for it – experience the benefits for yourself. We invite you to schedule a demo to see how our solution can make a difference in your organisation’s security posture. Our team of experts is ready to guide you through the features and show you how it can address your specific security challenges. Take the first step towards a more secure future – reach out today and discover how Meterian can elevate your cybersecurity strategy.


Looking forward hearing from you.

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?