FSF Patches Two-Year-Old Flaw as Security Incidents Hit Open Source, Supply Chains, and Major Brands

The Free Software Foundation patched a two-year-old vulnerability in its GNU Savannah repository on June 19, 2026, after security researchers from Hacktron.AI reported the flaw and demonstrated an exploit in early May. The FSF stated all reported issues have been addressed and found no evidence of compromised project data or supply chain tampering.

The vulnerability, introduced in software published approximately two years prior, could have allowed attackers to access sensitive project data. The FSF is now contacting hosted projects and other Savane instances to strengthen security, with a full incident report expected within 30 days.

Supply Chain Attacks Target AI and Open Source

Microsoft attributed a separate supply chain attack against Mastra AI to the North Korean hacking group Sapphire Sleet (BlueNoroff). The attack compromised more than 140 npm packages, highlighting persistent risks in open-source dependencies. The FSF incident similarly underscores the challenge of maintaining security in large, volunteer-run code repositories.

• FSF: Two-year-old flaw in GNU Savannah, patched after AI researcher report.
• Mastra AI: Supply chain attack linked to North Korean group Sapphire Sleet, over 140 npm packages compromised.
• Nintendo: Data stolen via third-party cyberattack; ransomware group Shadowbyt3$ demanded $2 million, but Nintendo reportedly refused to pay.
• Madison Square Garden: ShinyHunters published 45GB of data, including facial recognition records and 26 million customer records, after ransom deadline missed.
• Gravity SMTP WordPress plugin: CVE-2026-4020 (CVSS 5.3) exploited by unauthenticated attackers to extract API keys and secrets from roughly 100,000 installations.

Growing Attack Surface Demands Faster Patching

The breadth of these incidents reflects an expanding attack surface: from open-source infrastructure and AI supply chains to entertainment venues and WordPress plugins. Nintendo's breach occurred through a third-party vendor, while the MSG leak involved sensitive surveillance data, prompting a federal class-action lawsuit. The Gravity SMTP flaw was patched prior to exploitation, but attackers quickly moved to exploit unpatched sites.

Organizations are urged to audit third-party dependencies, enforce multi-factor authentication, and apply security patches promptly. The FSF's 30-day report will provide further technical details, while Microsoft continues to track Sapphire Sleet activity. As AI-driven security firms like Hacktron.AI uncover older flaws, the industry faces pressure to accelerate vulnerability discovery and remediation.