OpenSSF Introduces Open Source Security Framework

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs.

This week: The Open Source Security Foundation (OpenSSF) unveiled its OSPS Baseline: a new security framework for open source projects. Also: critical vulnerabilities discovered in GitLab's platform enabled attackers to get unauthorized access to sensitive repositories.

This Week’s Top Story

The Open Source Security Foundation (OpenSSF) this week unveiled a new security framework aimed at enhancing the resilience of open-source projects. Dubbed the Open Source Project Security (OSPS) Baseline, the new initiative provides guidelines and tools that help software developers identify and mitigate vulnerabilities in open source code, promoting a more secure software supply chain.

Despite the transparent nature of open source code and packages, open source project security ”is often obscure for adopters,” the OpenSSF said in a FAQ about the new framework. “It can be difficult to understand what a project has done to secure itself and its development (and) difficult for maintainers to understand how to get started in improving the security posture of their project,” OpenSSF wrote.?

The OSPS Baseline is designed to solve those problems, setting standards for the use of security controls in open source projects, as well as providing guidance on how they might be applied to projects of varying sizes, complexities, and source forges.

The new framework is aligned with frameworks like NIST’s Secure Software Development Framework (SSDF), ISO/IEC 27001, and the LFX GenAI Framework, and can help ensure that software artifacts comply with new regulations like the EU’s Cyber Resilience Act.?

OpenSSF encourages developers to think about the OSPS Baseline as a bar to step over rather than vault. The group describes it as a minimal security checklist. “Think of it like the minimum set of things you do to make sure your identity isn’t compromised or that you get your kid to school on time every day with no issues,” OpenSSF wrote.?

Developers should use it not as a “gold standard,” or uniform measuring stick for open source project security. Rather, adopters of open source projects are encouraged to see it as basic blocking and tackling — a way to assess the effort a given project has made (or not made) on security by “reviewing how they’ve implemented the baseline, and participating in supporting the project to ‘level up’.”

Experts were optimistic about the new initiative. In an interview with InfoSecurity magazine, independent open source community manager Stacey Potter said the OSPS Baseline initiative benefitted from getting input and feedback from actual OSS maintainers during a pilot rollout.

“We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project,” Potter added. “Our goal is to take the guesswork out of it, and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone.” (InfoSecurity)

This Week’s Headlines

GitLab vulnerabilities expose security gaps

Recent reports have identified critical vulnerabilities in GitLab's platform, enabling attackers to bypass security controls and gain unauthorized access to sensitive repositories. Users are urged to update to the latest version promptly to mitigate potential risks. (Cyber Security News)

Malicious npm package targets developers

A malicious npm package, @ton-wallet/create, has been discovered stealing cryptocurrency wallet keys from developers in the TON blockchain ecosystem. Disguised as a legitimate tool, it exfiltrates mnemonic phrases via a Telegram bot. Developers should exercise caution and verify packages before integration. (GB Hackers)

26 new threat groups emerged in 2024

CrowdStrike's latest threat intelligence report reveals the identification of 26 new adversary groups in 2024. These groups exhibit advanced tactics, targeting sectors ranging from healthcare to finance, underscoring the evolving threat landscape and the necessity for robust defense strategies. (Security Week)

Supply chain attacks are a growing concern

The rise in supply chain attacks highlights vulnerabilities within third-party vendors. Cybercriminals exploit these weaknesses to infiltrate networks, leading to significant disruptions. Businesses are advised to conduct thorough assessments of their partners' security practices and implement continuous monitoring to safeguard their operations. (America Daily Post)

Mega-botnet launches Microsoft 365 attacks

A botnet comprising over 130,000 compromised devices is conducting large-scale password-spraying attacks on Microsoft 365 accounts. By exploiting non-interactive sign-ins, these attacks often evade detection. Organizations are encouraged to enhance monitoring and enforce multi-factor authentication to protect their accounts.(Dark Reading)

Fake GitHub repositories stealing bitcoin

Kaspersky reports a "GitVenom" campaign where attackers create fake GitHub projects to distribute malicious code. These repositories, posing as tools for Telegram bots or gaming applications, have led to significant cryptocurrency thefts, including a case involving over $400,000 in Bitcoin. Users are advised to scrutinize code sources and avoid unverified repositories. (Coindesk.com)

Critical RCE vulnerability in MITRE Caldera

A critical remote code execution vulnerability, identified as CVE-2025-27364, has been discovered in MITRE's Caldera platform. This flaw could allow attackers to execute arbitrary code on affected systems. Users are strongly advised to apply the available patches to secure their environments. (The Cyber Express)

For more insights on software supply chain security, see the RL Blog.?

The Best of RL

Blog | Agentic AI and software development: Here's how to get ahead of rising risk

Agentic AI, which enables autonomous decision-making within business systems, has the potential to automate tasks traditionally handled by midlevel developers, Ericka Chickowski writes on the RL blog. While that offers significant potential, it also introduces complex security challenges for application security teams, which must proactively implement enhanced visibility, robust controls, and comprehensive governance across the software development lifecycle to effectively manage the associated risks.? [Read Now]?

Blog | Silent breaches and supply chain exploits: 5 lessons for cyber-teams

A recent Black Kite report highlights the prevalence of "silent breaches" in 2024, where attackers exploit trusted vendor relationships to infiltrate systems, causing widespread disruption across sectors like healthcare, retail, and logistics, John Mello writes over at the RL Blog. The report emphasizes the need for organizations to reassess third-party dependencies, enhance visibility into their digital ecosystems, and implement robust security measures to mitigate these often undetected threats. [Read Now]

Webinar: File Analysis & CDR: Forging a Formidable Defense

This webinar, scheduled for March 5 from 1-2pm ET, explores the new collaboration between ReversingLabs’ advanced file analysis and reputation technology and Glasswall’s innovative Content Disarm and Reconstruction (CDR) technology. By enforcing zero-trust architecture at domain boundaries through CDR while leveraging real-time threat detection and intelligence from ReversingLabs, organizations can severely restrict the ability of malware to compromise sensitive environments. [Register]

For great conversations to watch, see RL’s on-demand webinar library.