ActiveState

AI hallucinations create a new attack pattern. Models suggest package names that don't exist. Attackers register them. Developers install exactly what the AI suggested. Your scanner doesn't catch names that weren't in its database. Governance at the point of ingestion does. #SoftwareSupplyChain

One number worth knowing: ~95% CVE reduction for open source components governed by a verified catalog vs. the same packages pulled from npm directly. Not because they are older. Because they cleared a security threshold before ingestion. Cooldowns delay exposure. Provenance-based governance prevents it. #SoftwareSupplyChain #OpenSourceSecurity #DependencyManagement Read more at https://t.co/grFhQGkhgy

Dependency cooldowns are table stakes now. Good. Adopt them. Also: patient attackers already know your window. And your AI coding agent's npm install mid-session bypasses your .npmrc config entirely. A time-based filter is not a software supply chain sourcing strategy. Provenance is. #SoftwareSupplyChain #OpenSourceSecurity #DevSecOps #SLSA Read more at https://t.co/grFhQGkhgy

Industry average MTTR for critical CVEs: above 50 days. ActiveState contractual SLA for critical CVEs: 5 business days. The 45 days in between are not a performance gap. For the security leader whose name is on the program, they are a documented liability window with a start date. Mitchell Hashimoto said it directly: someone has to charge for the relationship open source licenses won't provide. Read more at https://t.co/tQBvOvzME6 #OpenSourceSecurity #CVE #SoftwareSupplyChain #CISO #AppSec

EU CRA Phase 1: September 2026. Mandatory 24-hour vulnerability reporting to ENISA. Applies to all products on market, including legacy. "We had a scanner" is not a sufficient legal defense. "Here is our provenance chain, our SBOM, and our contractual 5-day remediation SLA" is. The clock is running. Read more at https://t.co/tQBvOvzME6 #EUCyberResilienceAct #OpenSourceSecurity #CISO #SoftwareSupplyChain #Compliance

Sonatype's 2025 Open Source Software Supply Chain Risk Report: 454,000+ new malicious open source packages in 2025. Cumulative total past 1.2 million. Your AI coding assistant is pulling from that ecosystem, one keystroke at a time, without checking maintainer status or vulnerability history. Scanning what entered your environment is a record of what you missed, not a prevention strategy. Read more at https://t.co/tQBvOvzME6 #SoftwareSupplyChain #OpenSourceSecurity #AppSec #DevSecOps #AISecurity

The "as is" clause in open source licenses was never the problem. The problem was enterprise governance built on a warranty the license explicitly withheld. AI coding assistants just made that gap impossible to sustain. NIST says CVE submissions are up 263% and they can't keep up. Neither can your scanner. Read more at https://t.co/tQBvOvzME6 #OpenSourceSecurity #SoftwareSupplyChain #CISO #AppSec #CyberResilience

AI-generated code doesn't just accelerate development. It accelerates the inherited trust problem. Every import statement an AI coding tool generates is a potential new open source dependency. At 500-1,000 developers, that intake rate isn't human-scale anymore. The governance model most teams are running was never built for this. The road ahead requires a different kind of decision. Read more at https://t.co/Apn4hyDiIW #softwaresupplychain #opensourcesecurity #AppSec #AIcode #CISOnotes

'We were running a scanner' is not an audit trail for your OSS. SEC breach notification rules and the EU Cyber Resilience Act require documented, verifiable due diligence over your software supply chain. The question regulators will ask isn't whether you had tools. It's whether you made decisions. Most orgs cannot answer that question on demand today. Read more at https://t.co/Apn4hyDiIW #CyberResilienceAct #softwaresupplychain #opensourcesoftwaresecurity #CISOnotes #compliance

The attack logic that TeamPCP used is still valid. Five package ecosystems. Transitive dependency layer. Inherited trust from upstream maintainers. No explicit governance decision about what open source software was safe to consume. That structure has not changed. The next attack will use the same entry points. Read more at https://t.co/Apn4hyDiIW #opensourcesoftwaresecurity #softwaresupplychain #AppSec #CISOnotes #devsecops

TeamPCP was caught because a developer's laptop ran hot. The OSS governance gap it exposed is still open at most organizations. The scanner passed the binary through correctly. The failure was a decision about open source software provenance that was never made. Same structure. Same exposure. Still no decision. Read more at https://t.co/Apn4hyDiIW #opensourcesecurity #softwaresupplychain #CISOnotes #AppSec #supplychainsecurity

Everyone is asking whether their AI agents will do the wrong thing. Nobody is asking what happens if they were built on the wrong thing. That's the conversation missing from every governance framework, every session agenda, every vendor pitch right now. Underneath every agent in your environment is a software stack. Inside that stack: open source dependencies pulled in by AI coding assistants, accepted in a single keystroke, with no provenance check, no manual review, no assigned owner. Behavioral trust is a real problem worth solving. Can the agent do what I asked? Yes. But that question rests on a foundation most organizations have never looked at. Security doesn't start with what your agent does. It starts with what it was built on. #CyberSecurity #AIAgents #SoftwareSupplyChain

CISOs: AI coding assistants don't just generate code. They generate open source risk. At machine speed. The fix can't be tethered to a single AI tool. It has to be at the dependency layer. That's exactly what the ActiveState Curated Catalog does. And today we expanded it to cover any AI coding environment. https://t.co/RoL7W0gRKl