Securing the AI software supply chain: Security results across 67 open source projects - The GitHub Blog
<a href="https://news.google.com/rss/articles/CBMiygFBVV95cUxNU1R1NHdJZEUwaGdsMUt5TzNPRG9ZVFRDOXo5bUJiREx2Zl82ejFuci0xVFYyQkhCb1FSU3VxWE5kcW56ME43SGJwclZmQVJaRURGSVRhSFEweTMtcWhKSmNDQ0NqcHNtUGtrTXd3Q2NwTzNkV21IcDdzNEhfUS1NNWptSTByZUZKNTJ4cFNyMWNJVmNHTTJvZXhwaW9fcGE0Zlh6Z1RzLTVOUXdRNlJONl9kZ2hpWVZmelU5YjViQXZhWVEyQ2tlZGpn?oc=5" target="_blank">Securing the AI software supply chain: Security results across 67 open source projects</a> <font color="#6f6f6f">The GitHub Blog</font>
Could not retrieve the full article text.
Read on GNews AI open source →Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
open sourcegithub
🚀 I Vibecoded an AI Interview Simulator in 1 Hour using Gemini + Groq
<h1> 🚀 Skilla – Your AI Interview Simulator </h1> <h2> 💡 Inspiration </h2> <p>Interviews can be intimidating, especially without proper practice or feedback. Many students and job seekers don’t have access to real interview environments where they can build confidence and improve their answers.</p> <p>That’s why I built <strong>Skilla</strong> — an AI-powered interview simulator that helps users practice smarter, gain confidence, and improve their communication skills in a realistic way.</p> <h2> 🌐Live URL: <strong><a href="https://skilla-ai.streamlit.app" rel="noopener noreferrer">https://skilla-ai.streamlit.app</a></strong> </h2> <h2> 🤖 What It Does </h2> <p><strong>Skilla</strong> is a smart AI interview coach that:</p> <ul> <li>🎤 Simulates real interview scenarios </li> <li>🧠 Ask
Why AI Agents Need a Trust Layer (And How We Built One)
<p><em>What happens when AI agents need to prove they're reliable before anyone trusts them with real work?</em></p> <h2> The Problem No One's Talking About </h2> <p>Every week, a new AI agent framework drops. Autonomous agents that can write code, send emails, book flights, manage databases. The capabilities are incredible.</p> <p>But here's the question nobody's answering: <strong>how do you know which agent to trust?</strong></p> <p>Right now, hiring an AI agent feels like hiring a contractor with no references, no portfolio, and no track record. You're just... hoping it works. And when it doesn't, there's no accountability trail.</p> <p>We kept running into this building our own multi-agent systems:</p> <ul> <li>Agent A says it can handle email outreach. Can it? Who knows.</li> <li>Age
Axios Hijack Post-Mortem: How to Audit, Pin, and Automate a Defense
<p>On March 31, 2026, the <code>axios</code> npm package was compromised via a hijacked maintainer account. Two versions, <code>1.14.1</code> and <code>0.30.4</code>, were weaponised with a malicious phantom dependency called <code>plain-crypto-js</code>. It functions as a Remote Access Trojan (RAT) that executes during the <code>postinstall</code> phase and silently exfiltrates environment variables: AWS keys, GitHub tokens, database credentials, and anything present in your <code>.env</code> at install time.</p> <p>The attack window was approximately 3 hours (00:21 to 03:29 UTC) before the packages were unpublished. A single CI run during that window is sufficient exposure.<br> This post documents the forensic audit and remediation steps performed on a Next.js production stack immediatel
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Open Source AI
%22%2F%3E%0A%20%20%3Crect%20width%3D%22400%22%20height%3D%22200%22%20fill%3D%22url(%23p)%22%2F%3E%0A%20%20%3Crect%20x%3D%2220%22%20y%3D%2220%22%20width%3D%22360%22%20height%3D%22160%22%20rx%3D%228%22%20fill%3D%22rgba(0%2C0%2C0%2C0.18)%22%2F%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%2275.8%22%20text-anchor%3D%22middle%22%20dominant-baseline%3D%22middle%22%0A%20%20%20%20%20%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22700%22%20letter-spacing%3D%220.5%22%0A%20%20%20%20%20%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3EOBSERVABILIDADE%20DE%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%2297.8%22%20text-anchor%3D%22middle%22%20dominant-baseline%3D%22middle%22%0A%20%20%20%20%20%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22700%22%20letter-spacing%3D%220.5%22%0A%20%20%20%20%20%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3EAGENTES%20DE%20IA%20COM%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%22119.8%22%20text-anchor%3D%22middle%22%20dominant-baseline%3D%22middle%22%0A%20%20%20%20%20%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22700%22%20letter-spacing%3D%220.5%22%0A%20%20%20%20%20%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3ELANGCHAIN4J%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%22170%22%20text-anchor%3D%22middle%22%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2210%22%20font-weight%3D%22500%22%20letter-spacing%3D%222%22%20fill%3D%22rgba(255%2C255%2C255%2C0.55)%22%20text-transform%3D%22uppercase%22%3EOPEN%20SOURCE%20AI%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
Observabilidade de agentes de IA com LangChain4j
<h2> Introdução </h2> <p>Estamos vivendo uma onda no desenvolvimento de software impulsionada pelo uso de <strong>IA generativa</strong> e, mais recentemente, por <strong>agentes de IA</strong> capazes de tomar decisões, orquestrar chamadas a modelos e interagir com ferramentas externas.</p> <p>Esses agentes vão além de simples integrações com LLMs. Eles executam fluxos dinâmicos, fazem múltiplas chamadas ao modelo, utilizam ferramentas e tomam decisões com base no contexto. Esse comportamento os aproxima muito mais de sistemas distribuídos.</p> <p>Com isso, à medida que começamos a levar esses agentes para <strong>ambientes corporativos</strong>, surge um requisito essencial que não pode ser ignorado: <strong>observabilidade e monitoramento</strong>.</p> <p>De forma simplificada:</p> <ul>
%22%2F%3E%0A%20%20%3Crect%20width%3D%22400%22%20height%3D%22200%22%20fill%3D%22url(%23p)%22%2F%3E%0A%20%20%3Crect%20x%3D%2220%22%20y%3D%2220%22%20width%3D%22360%22%20height%3D%22160%22%20rx%3D%228%22%20fill%3D%22rgba(0%2C0%2C0%2C0.18)%22%2F%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%2286.8%22%20text-anchor%3D%22middle%22%20dominant-baseline%3D%22middle%22%0A%20%20%20%20%20%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22700%22%20letter-spacing%3D%220.5%22%0A%20%20%20%20%20%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3EDATASETTE-ENRICHMENTS-LLM%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%22108.8%22%20text-anchor%3D%22middle%22%20dominant-baseline%3D%22middle%22%0A%20%20%20%20%20%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2214%22%20font-weight%3D%22700%22%20letter-spacing%3D%220.5%22%0A%20%20%20%20%20%20fill%3D%22rgba(255%2C255%2C255%2C0.95)%22%3E0.2A1%3C%2Ftext%3E%0A%20%20%3Ctext%20x%3D%22200%22%20y%3D%22170%22%20text-anchor%3D%22middle%22%20font-family%3D%22system-ui%2Csans-serif%22%20font-size%3D%2210%22%20font-weight%3D%22500%22%20letter-spacing%3D%222%22%20fill%3D%22rgba(255%2C255%2C255%2C0.55)%22%20text-transform%3D%22uppercase%22%3EOPEN%20SOURCE%20AI%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
datasette-enrichments-llm 0.2a1
<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-enrichments-llm/releases/tag/0.2a1">datasette-enrichments-llm 0.2a1</a></p> <blockquote> <ul> <li>The <code>actor</code> who triggers an enrichment is now passed to the <code>llm.mode(... actor=actor)</code> method. <a href="https://github.com/datasette/datasette-enrichments-llm">#3</a></li> </ul> </blockquote> <p>Tags: <a href="https://simonwillison.net/tags/enrichments">enrichments</a>, <a href="https://simonwillison.net/tags/llm">llm</a>, <a href="https://simonwillison.net/tags/datasette">datasette</a></p>
Why AI Agents Need Both Memory and Money
<p>Every major AI agent framework — LangGraph, CrewAI, AutoGen, Semantic Kernel — gives you the same primitives: tool calling, chain-of-thought reasoning, and some form of state management. These are necessary but not sufficient for agents that operate in the real world.</p> <p>Two critical capabilities are missing from every framework: <strong>cognitive memory that behaves like a brain</strong> and <strong>financial agency that lets agents transact</strong>. More importantly, nobody has connected the two. That's what MnemoPay does.</p> <h2> The memory problem nobody talks about </h2> <p>Current agent memory solutions (Mem0, Letta, Zep) treat memory like a database. Store facts, retrieve facts. This works for simple use cases, but it fundamentally misunderstands how useful memory works.</p
Show HN: AgentLens – Chrome DevTools for AI Agents (open-source, self-hosted)
<p>Agents are opaque. AgentLens is Chrome‑DevTools for AI agents — self‑hosted, open‑source. It traces tool calls and visualizes decision trees so you can see why an agent picked a tool. Repo: <a href="https://github.com/tranhoangtu-it/agentlens" rel="noopener noreferrer">https://github.com/tranhoangtu-it/agentlens</a></p> <p>It plugs into LangChain/FastAPI stacks, uses OpenTelemetry spans, and ships a React frontend (Python backend, TypeScript UI). You get per-tool inputs/outputs, timestamps, and branching paths — the raw traces you actually need to debug agents.</p> <p>Practical playbook: emit spans from your agent, sample 100% in dev, 1–5% in prod. Persist traces off your user data store (filter PII). Watch for repeated tool calls, backoff loops, and input drift. AgentLens gives visibil
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!