OpenSSF Newsletter – June 2026 – Open Source Security Foundation

June highlighted the high stakes for open source security. The European Open Source Security Forum focused on turning CRA commitments into action, while the Mini Shai-Hulud and Miasma threats underscored the need for strong provenance. Despite these challenges, the community progressed with new machine-readable guidance, a SLSA supply chain post-mortem, and a critical CRA Awareness report. Read on for the full update!

TL;DR:

📋 2026 CRA Awareness & Readiness Report → Two-thirds of the open source community still don’t know what the EU CRA requires — and the September deadline is approaching.
🎬 OpenSSF Community Day NA Sessions Now on YouTube → All session recordings from OpenSSF Community Day North America are live in a full playlist.
🔗 Mini Shai-Hulud: Where SLSA’s Boundaries Fall → SLSA team publishes a clear-eyed breakdown of what the worm exploited, what the framework prevents, and what it can’t.
🔎 Aligning on Machine-Readable Signals as the Foundation for Due Diligence → Modern supply chains need automated signals, not manual checklists.
📦 AMPEL Accepted as New Sandbox Project → New OpenSSF project makes supply chain security assertions practical, composable, and automatable.
🎙️ Podcast: Mentorship & Community → This month’s episodes dive deeply into the impact of open source on the enterprise, exploring security and career growth with IBM’s Jamie Thomas while also tackling the hidden risks of end-of-life dependencies with HeroDevs.

6 min read

The CFP for OpenSSF Community Day Europe 2026 is open through July 12, + Additional Track for SCORED Research Papers

The Call for Proposals for OpenSSF Community Day Europe 2026 is open through Sunday, July 12 at 11:59 PM CEST. The event occurs on October 6 in Prague, Czechia, co-located with Open Source Summit Europe. This year, we added the Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) conference as a new dedicated technical track, inviting researchers from academia to submit original research papers. Register | Submit your talk | Sponsor

2026 CRA Awareness and Readiness Report

The 2026 CRA Awareness and Readiness Report is live, and the findings are stark. Today, 66% of developers, manufacturers, and contributors worldwide are “not familiar at all” or “only slightly familiar” with the CRA, a number that rises to 72% in the US and Canada. Download the report and read CRob’s companion blog post, Taking Stock of the State of European Cyber Resilience Act (CRA) Compliance: An Urgent Wake-up Call for the Open Source Ecosystem, for his direct assessment of what the data means.

The “Skyway” to OSS Security: OpenSSF Community Day North America 2026 Recap

Missed Minneapolis? Catch up on everything you missed with our newly published recap of OpenSSF Community Day North America. The complete YouTube session playlist is now live, featuring a broad security spectrum that spans from post-quantum readiness and AI-driven orchestration to deep dives into SBOM transparency and trusted publishing. Read the recap to explore the highlights and relive the day’s most impactful moments!

Mini Shai-Hulud: Where SLSA’s Boundaries Fall

On May 11, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 TanStack packages and spread to 170+ packages across other ecosystems. The SLSA team published a thorough post-mortem: a signed attestation confirms what the build platform observed, not whether the build itself was trustworthy. Read the full analysis for what the framework covers, what policy must close, and what operational controls teams can put in place today.

Aligning on Machine-Readable Signals as the Foundation for Due Diligence

Software supply chains have grown too complex for manual compliance oversight. OpenSSF EU Policy Advisor Madalin Neag argues that the only scalable path forward is automated, machine-readable security signals – and that OpenSSF tooling like Security Insights, OSPS Baseline, and Gemara provide the building blocks both regulators and maintainers need. Read the blog.

What’s in the SOSS? An OpenSSF Podcast:

#62 – S3E14 The Ghost in the Dependency Tree: Navigating Open Source End-of-Life with HeroDevs

CRob sits down with Isaac Wuest, Product Line Leader at HeroDevs, to explore the critical and often overlooked “gray area” of the software supply chain: End-of-Life (EOL) software. While the industry heavily relies on CVEs to track vulnerabilities, Isaac explains how maintainer abandonment creates a vacuum where risks are present but remain undiscovered and unreported. Listen now.

#63 – S3E15 Big Thoughts, Open Sources: Driving Enterprise Security and Career Growth Through Open Source with Jamie Thomas (IBM)

Join CRob and Jamie Thomas, IBM Enterprise Security Executive and OpenSSF Governing Board Member (former Chair!), as they tackle the vital shifting dynamics of enterprise open source engagement. From IBM’s historical “billion-dollar bet” on Linux to modern supply chain wake-up calls like SolarWinds and Log4j, Jamie pulls back the curtain on what it truly means to move from accidental consumption to intentional stewardship. Listen now.

News from OpenSSF Community Meetings and Projects:

Upcoming community meetings

Generative AI is shifting how you use, build, and maintain open source software. The Linux Foundation, OpenSSF, LF AI & Data Foundation, and ActiveState launched a joint survey to map this changing AI security landscape, and we need your input. Take the survey.
On June 10, OpenSSF participated in the second Cyber Resilience Act (CRA) Expert Group meeting of the year.
If you missed our recent CRA Tech Talk on June 15th dedicated to upstream contributors, you can now catch up on the full recording here.
Videos for all sessions from OpenSSF Community Day North America are now available in a full playlist on YouTube. OpenSSF @ Open Source Summit North America YouTube playlist is also now available.
AMPEL was accepted as a new OpenSSF sandbox project by the TAC. The project’s mission is to make supply chain security assertions practical, composable, and automatable.
OpenSSF is compiling a literature search to develop an LF Education course on Using AI to Find and Fix Vulnerabilities in Open Source Software.
OpenBao released v2.5.4 with patches for three CVEs, several bug fixes, and a PostgreSQL storage improvement.
The ORBIT Launchpad SIG is working on a CRA Baseline for Open Source Consumption and a CRA Baseline for Manufacturers.
Zarf released v0.77 with keyless Sigstore signing support, the ability to pull images by index SHA, archive inclusion in image discovery, and a fix for the signing auth flow in CI environments.
The Vulnerability Disclosures WG continues progress on guidance for AI in vulnerability disclosure.
Gemara released v1.2.0 with an optional rank field in the risk catalog for risk prioritization and maintenance updates.
CFPs are open for AGNTCon + MCPCon Japan, OpenSSF Community Day Europe (closes July 12), and Open Source Summit Europe.

Member Spotlight

ActiveState – Free Certification: Open Source Software Security Management

OpenSSF General Member ActiveState is offering a free, self-paced certification on open source risk management across the software supply chain — covering vulnerability detection and remediation, artifact management, and supply chain controls. Earn a shareable LinkedIn badge on completion. Get started.

CleanStart – 100 Verified Container Images Milestone

OpenSSF General Member CleanStart recently crossed the milestone of 100 CleanStart Verified container images, which is a meaningful marker for the software supply chain and container security community.

In the News:

Infosecurity Magazine: Two-Thirds of Open Source Community Unaware of Cyber Resilience Act
ITOps Times’ “Get with IT” Podcast: The Sustainability Gap in Open Source Package Repositories (CRob)
Tech Times: EU Cyber Resilience Act: 24-Hour Vulnerability Clock Starts September 11 for IoT Vendors
TFiR: How to Prepare for EU Cyber Resilience Act Compliance Before Enforcement Hits | Christopher Robinson, OpenSSF | TFiR
DevOps.com: OpenSSF’s CRob: ‘The Runway Is Rapidly Running Out’ on EU CRA Readiness

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

Black Hat 2026 – August 1–4, Las Vegas, NV
OpenSSF Community Day Europe 2026 – October 6, Prague, Czechia
Open Source Summit Europe 2026 – October 7–9, Prague, Czechia
All Things Open 2026 – October 19–20, Edinburgh, UK
AGNTCon + MCPCon North America – October 20–23, San Jose, CA
Open Source SecurityCon North America 2026 – November 9, Salt Lake City, UT
KubeCon + CloudNativeCon North America 2026 – November 9–12, Salt Lake City, UT

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn
Join OpenSSF

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

OpenSSF Newsletter – June 2026

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox