Don't become the next Trivy: how to make your releases, tags, and automation resistant to compromise
This is Part 2 of our response to the Trivy supply-chain compromise. Part 1 covered how to consume GitHub Actions...
eclipse-foundation
Stop trusting mutable references: how Eclipse Foundation projects should harden GitHub Actions after the Trivy compromise
On March 19, 2026, an attacker used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77...
Open VSX security update, October 2025
Over the past few weeks, the Open VSX team and the Eclipse Foundation have been responding to reports of leaked...
Eclipse Open VSX Registry Security Advisory
This security advisory provides additional technical details following our initial statement and the corresponding CVE record. TL;DR A vulnerability in...
Vulnerability in Eclipse Open VSX Registry extension publication process
On May 4th, the Eclipse Foundation (EF) Security Team received a notification from researchers at Koi Security regarding a potential...
Strengthening Open Source Security: Eclipse Foundation Selected by the Sovereign Tech Agency for a New Service Agreement
We are pleased to announce that the Eclipse Foundation has been selected by the Sovereign Tech Agency for a new...
Eclipse Foundation Security Statement: JARsigner Abuse by Malicious Actors
Recent reports indicate that cybercriminals are exploiting the Windows DLL side-loading technique using the legitimate jarsigner.exe executable to propagate malware...
Introducing the Updated Eclipse Foundation Security Policy
On November 20, 2024, the Board of Director of the Eclipse Foundation approved version 1.2 of its Security Policy. This...
Leaving the Eclipse Foundation
Yes. The rumours are true. I will star in the next Marvel film! Alright, alright. That’s a lie, but it...