notes

Sonatype reports in a recent white paper on a noticeable increase in malware discoveries in open‑source artifacts. In the analysis »Sonatype uncovers global espionage campaign in open source ecosystems« on sonatype.com, the company details how many infected packages they counted. Between January and July 2025, Sonatype blocked 234 unique malware packages traced to Lazarus across npm and PyPI. These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure. The campaign reveals over 36,000 potential victims — and counting. ...

GitHub has come out in favor of a Sovereign Tech Fund. Such a funding model is also used by the Sovereign Tech Agency. Felix Reda writes in »We need a European Sovereign Tech Fund« on github.blog: There is a profound mismatch between the importance of open source maintenance and the public attention it receives. The demand-side value of open source software to the global economy is estimated at $8.8 trillion, and the European Commission’s own research shows that OSS contributes a minimum of €65-95 billion to the EU economy annually. Basic open source technologies, such as libraries, programming languages, or software development tools, are used in all sectors of the economy, society, and public administrations. ...

Ellen Nakashima, Yvonne Wingett Sanchez and Joseph Menn write in »Global hack on Microsoft product hits U.S., state agencies, researchers say« for washingtonpost.com What’s also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. Once again, a security vulnerability in Microsoft’s software was exploited. And of course: no system is completely secure. But when almost everyone uses the same software, a single flaw becomes a widespread risk. That’s exactly the case with Microsoft Office, SharePoint, or Windows. ...

Hidde de Vries writes in »How to avoid that your post about AI helps the hype« for hidde.blog The term “artificial intelligence” was coined as a way to make a branch of scientific research more attractive to potential funders. A lot of the tech we see today is neither artificial nor intelligent. It’s powerful and impressive technology, sure, but it’s machines. ...

Darryl K. Taft quotes David Mytton, CEO of Arcjet, in »No Code Is Dead« for thenewstack.io I expect GenAI to make building these apps a lot faster and easier, but it’s still going to make a technical mess. Vibe coding internal apps is going to be a huge source of technical debt in the coming years! In the public sector, Low-Code and No-Code are often hailed as a panacea for the growing need to automate in order to help offset demographic change. But this approach is already outdated. The article shows why No-Code is already obsolete and what challenges lie ahead. ...