A year of open source vulnerability trends: CVEs, advisories, and malware
Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed and what it means for your triage and response.
Home / GitHub Security Lab
GitHub Security Lab
Investing in the people shaping open source and securing the future together
See how GitHub is investing in open source security funding maintainers, partnering with Alpha-Omega, and expanding access to help reduce burden and strengthen software supply chains.
How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework
GitHub Security Lab Taskflow Agent is very effective at finding Auth Bypasses, IDORs, Token Leaks, and other high-impact vulnerabilities.
AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent
Learn how we are using the newly released GitHub Security Lab Taskflow Agent to triage categories of vulnerabilities in GitHub Actions and JavaScript projects.
Community-powered security with AI: an open source framework for security research
Announcing GitHub Security Lab Taskflow Agent, an open source and collaborative framework for security research with AI.
Bugs that survive the heat of continuous fuzzing
Learn why some long-enrolled OSS-Fuzz projects still contain vulnerabilities and how you can find them.
Strengthening supply chain security: Preparing for the next malware campaign
Security advice for users and maintainers to help reduce the impact of the next supply chain malware attack.
Our plan for a more secure npm supply chain
Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.
Safeguarding VS Code against prompt injections
When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user’s explicit consent. In this blog post, we’ll explain which VS Code features may reduce these risks.
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture through direct funding, expert guidance, and actionable playbooks.
Modeling CORS frameworks with CodeQL to find security vulnerabilities
Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.
CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre
DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.
What is the GitHub advisory database, and how does it help you secure dependencies?
Use these insights to automate software security (where possible) to keep your projects safe.
A free hands-on course on AI security: Hack the LLM and then fix it
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.
The world's largest developer platform
GitHub
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
The GitHub Podcast
Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.