Find notable cyber news and cases, enriched with sources, timelines, and signals.

Widespread end-of-life package exposure across major open-source registries

Trend
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

End-of-life open source packages remain widespread across major registries, leaving enterprise dependency graphs exposed to versions with no patch path and limited CVE coverage. A large-scale lifecycle analysis found 5.4 million of 12 million package versions were EOL, showing that scanner silence can mask real risk. The gap is especially acute in transitive dependencies, where hidden EOL components can sit inside otherwise supported stacks.

Related Happenings

OpenSSF flags CRA readiness gap

Regulatory/Legal (General)
H score21 First: 08.06.2026 12:00 Last: 08.06.2026 12:00 Sources 1

About this happening: OpenSSF warned that **global manufacturers, developers, and open source stakeholders** remain materially unprepared for **Cyber Resilience Act (CRA)** compliance ahead of the **De...

CRA readiness gaps persist across global open source and manufacturing stakeholders

Trend
H score22 First: 08.06.2026 12:00 Last: 08.06.2026 12:00 Sources 1

About this happening: **OpenSSF** found **stagnating CRA readiness** across **global manufacturers, developers, and open source stakeholders**, leaving a large share of the ecosystem exposed to **Decem...

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
H score44 First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception

Threat Actor Meta
H score42 First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...

OpenAI Codex Security rolls out as a research-preview vulnerability-finding agent

Security Tool/Service
H score14 First: 07.03.2026 18:28 Last: 07.03.2026 18:28 Sources 1

About this happening: **OpenAI** began rolling out **Codex Security** in **research preview**, adding an AI security agent that can **find, validate, and propose fixes** for vulnerabilities. The rollou...

Timeline

  1. 05.05.2026 17:00 2 articles · 2mo ago

    May 2026 report on end-of-life package exposure

    Technical Analysis Update

    A May 2026 report frames end-of-life open source packages as a widespread blind spot across npm, PyPI, Maven, NuGet, RubyGems, Go, Packagist, and crates.io: lifecycle analysis across 12 million package versions found 5.4 million EOL versions, while Sonatype's research cited 167,286 false negatives in 2025 and 5–15% EOL exposure in enterprise dependency graphs. The Spring Security example shows why scanner coverage fails: CVE-2026-22732 lists Spring Security 5.7.x through 7.0.x, but Spring Security 6.2.x reached EOL in December 2025, ships with Spring Boot 3.2, and HeroDevs says it is still affected without an upstream fix. April 2026 AI vulnerability research from Anthropic could widen the gap for unsupported code because new findings in EOL versions will not be officially investigated or patched.

    Show sources