OpenSSF Community Day North America 2026

As AI becomes a bigger part of software and open source development, security needs are changing quickly. This talk will cover how the Open Source Security Foundation is ramping up the use of and support for AI security across the open source ecosystem.

In July 2025, PyPI users received emails directing them to another site - a near-perfect clone transparently proxying requests to pypi.org. Within hours, attackers compromised four accounts and uploaded malicious releases of the popular num2words package.

This talk dissects the complete attack chain: how attackers harvested email addresses from public package metadata, built a transparent proxy that relayed TOTP codes in real-time, and why traditional 2FA failed while WebAuthn-based authentication stopped the attack cold.

The session covers the incident response timeline, challenges getting malicious infrastructure taken down (including initial rejection of abuse reports), and defensive measures deployed afterward—including new email verification for TOTP logins from unrecognized devices.

Attendees will learn exactly how modern phishing attacks work against package repositories, the critical difference between "phishable" and "phishing-resistant" 2FA, and practical steps to protect accounts and packages from the next campaign. The talk also examines the September 2025 follow-up campaign targeting another domain and patterns across these ongoing attacks.

The OpenSSF BEAR (Belonging, Empowerment, Allyship, and Representation) Working Group is on a mission to make cybersecurity a place where everyone belongs! We knock down barriers and crank up the volume for underrepresented voices. We've learned that true representation is about building fun, lasting paths for participation.

In this session, we'll take you on a journey through the evolution of BEAR, culminating in the exciting launch of our newest global family member, SIG OpenSSF Africa (Open Source Security Foundation Africa)! We'll share some insights and "Aha!" moments from our monthly Community Office Hours - including those unexpected successful strategies - and get honest about the triumphs and challenges of our mentorship program.

Looking to level up your community game? Whether you want to understand the real-world challenges facing diverse groups in security or just need some practical, battle-tested frameworks for building vibrant community programs, this session is your toolkit. Get ready for an open, fun look at building a truly inclusive open source security community!

The AI Cyber Challenge demonstrated that AI-powered Cyber Reasoning Systems (CRS) can autonomously find and fix software vulnerabilities at scale. But how do we take those advancements and make them accessible to the broader security community? Enter OSS-CRS: an open-source, standardized framework designed to accelerate the development of AI-assisted bug-finding and remediation systems. In this session, we'll walk through the design principles of OSS-CRS, show how it lowers the barriers to building and benchmarking next-generation CRS tooling, and demonstrate how users can easily deploy and run CRSs against their own codebases. Whether you're a security researcher, tooling developer, AI practitioner, or project maintainer, come learn about the growing ecosystem around AI-powered CRSs.