Don't become the next Trivy: how to make your releases, tags, and automation resistant to compromise
This is Part 2 of our response to the Trivy supply-chain compromise. Part 1 covered how to consume GitHub Actions...
Stop trusting mutable references: how Eclipse Foundation projects should harden GitHub Actions after the Trivy compromise
On March 19, 2026, an attacker used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77...
Open VSX security update, October 2025
Over the past few weeks, the Open VSX team and the Eclipse Foundation have been responding to reports of leaked...
Eclipse Open VSX Registry Security Advisory
This security advisory provides additional technical details following our initial statement and the corresponding CVE record. TL;DR A vulnerability in...
Vulnerability in Eclipse Open VSX Registry extension publication process
On May 4th, the Eclipse Foundation (EF) Security Team received a notification from researchers at Koi Security regarding a potential...
Strengthening Open Source Security: Eclipse Foundation Selected by the Sovereign Tech Agency for a New Service Agreement
We are pleased to announce that the Eclipse Foundation has been selected by the Sovereign Tech Agency for a new...
Eclipse Foundation Security Statement: JARsigner Abuse by Malicious Actors
Recent reports indicate that cybercriminals are exploiting the Windows DLL side-loading technique using the legitimate jarsigner.exe executable to propagate malware...
Introducing the Updated Eclipse Foundation Security Policy
On November 20, 2024, the Board of Director of the Eclipse Foundation approved version 1.2 of its Security Policy. This...
Exploring the Future of Open Source Security at OCX 2024
In the fast-paced world of software development, open source has emerged as a catalyst for innovation. But with this rapid...
Securing the Future: 2FA Now Mandatory for Eclipse Foundation Committers
The Eclipse Foundation is pleased to announce the successful implementation of two-factor authentication (2FA) for all committers on both gitlab.eclipse.org...
Understanding Software Provenance Attestation: The Roles of SLSA and in-toto
A software provenance attestation is a signed document that associates metadata with an artifact, encompassing details like the artifact’s origin...
Understanding Software Provenance
In the ever-evolving landscape of open-source software development, the creation and distribution of artifacts—such as compiled binaries, libraries, and documentation—represent...