Brian Fox's Avatar

Brian Fox

@brianfox.bsky.social

Sonatype CTO

372 Followers  |  14 Following  |  9 Posts  |  Joined: 06.11.2023
Posts Following

Posts by Brian Fox (@brianfox.bsky.social)

Preview
Sustaining Package Repositories with Brian Fox Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the import...

On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries

This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter

opensourcesecurity.io/2025/2025-10...

06.10.2025 14:26 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Yes all of this. Now it’s time to fix it.

25.09.2025 13:05 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure Open source relies on shared infrastructure. Learn why sustainable stewardship is critical to keep ecosystems like Maven Central strong.

Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.

This morning we jointly launch a new blog and open letter on sustainable stewardship.

www.sonatype.com/blog/from-ab...

23.09.2025 10:34 β€” πŸ‘ 24    πŸ” 14    πŸ’¬ 0    πŸ“Œ 2

We see more new affected packages over night. It highlights why we built this ml/model for this back when it was still called ml/ai and use it to protect customers in real time.

We will be updating the blog shortly with the new packages.

09.09.2025 13:55 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
npm Chalk and Debug Packages Hit in Software Supply Chain Attack Learn about the npm chalk and debug widespread software supply chain attack, highlighting risks and the need for better SBOM and SCA practices.

Looks
Like we got them taken down. So here it is: www.sonatype.com/blog/npm-cha...

09.09.2025 00:15 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

More than 1

08.09.2025 20:36 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Our malware systems at Sonatype seem to be picking these up coming from other, not yet reported accounts. This attack seems to have landed more publishers as this unfolds. Check your accounts folks while we work with others to contain.

08.09.2025 20:12 β€” πŸ‘ 9    πŸ” 4    πŸ’¬ 2    πŸ“Œ 1

Fair. Maybe it’s a scam. Will have to wait and see.

16.04.2025 11:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Open-source malware doubles, data exfiltration attacks dominate - Help Net Security A total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype's Open Source Malware Index.

Open-source malware doubles, data exfiltration attacks dominate

πŸ“– Read more: www.helpnetsecurity.com/2025/04/03/o...

#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social

03.04.2025 07:00 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
CVE Foundation FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term ...

www.thecvefoundation.org

16.04.2025 09:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Good news for Java developers! Central now validates OpenSSF sigstore signatures as part of publishing. If you’re already signing your artifacts with Sigstore, you’ll now get real-time validation feedback in the Central Publisher Portal.

Read more details here: www.sonatype.com/blog/central...

29.01.2025 17:53 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image

πŸ“’ The @linuxfoundation.org, with Harvard's Laboratory for Innovation Science, has released Census III of Free and Open Source Software – Application Libraries. πŸ–₯️ Key insights from OpenSSF help reduce FOSS vulnerabilities and secure supply chains. Read more: openssf.org/press-releas...

04.12.2024 15:54 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0