GitHub Security Lab

Attending BSides Vilnius? Don't miss 📌 Jaroslav Lobačevski 's session "LLM-assisted vulnerability hunting: hype vs. reality" to hear about the practical experience of using LLM agents for finding, triaging and reporting vulnerabilities in open-source software such as Signal or 7-Zip! 📅 June 4, 16:45 EEST 📍 Vilnius, Lithuania 👉 https://bsidesvilnius.lt/

Who's at DevTalks? Join Joseph Katsioloudes and discover practical ways to use AI for security through 12 GitHub Copilot demos from secure coding, to informed supply chain decisions, and secure SDLC. 📅 June 4, 14:00 EEST 📍 Bucharest, Romania 👉 https://www.devtalks.ro/

Attending AI DevCon? Join Joseph Katsioloudes and discover practical ways to use AI for security through 12 GitHub Copilot demos from secure coding, to informed supply chain decisions, and secure SDLC. 📅 June 1, 10:00 AM BST 📍 London, UK & Virtual 👉 https://lnkd.in/eAC_-9e5

Proof of Concept for GHSL-2026-140 (CVE-2026-48095) in 7-Zip <= 26.00. A crafted archive shrinks a 256 MB buffer into 1 byte, overwrites a function pointer with file content, and redirects execution. Full weaponization needs an ASLR bypass. Fixed in 26.01. Read more at https://lnkd.in/dJhz4DaR

📦 Security Track Spotlight: 👉Join Shelby Cunningham & Madison Oliver Ficorilli at #PyConUS 2026 for “Breaking Bad (Packages)” and learn why traditional vulnerability tracking struggles with supply chain attacks and what better approaches look like. https://lnkd.in/gvVEvEKA #security

Your mother tongue is the new programing language for creating exploits. For maintainer month, we took inspiration from #OpenClaw and built ProdBot! An intentionally vulnerable agent wired up with MCPs, skills, agentic workflows, and multi-agent capabilities. You will learn from it, while having fun! It runs in Codespaces, straight from your browser, in under two minutes. Play now at: gh.io/secure-code-game Learn more: https://lnkd.in/gacyENSm

On 25th April at 10AM, join Sylwia Budzynska for the workshop "Introduction to security research. Find a CVE with CodeQL" at the Linux Session organized by Akademickie Stowarzyszenie Informatyczne in Wroclaw, Poland! Learn security research and static analysis fundamentals when looking for vulnerabilities in software. Using an example CVE we’ll walk through how we could find the CVE, how CodeQL would detect it, and write a CodeQL query to find similar variants of the vulnerability at scale. Check out more information on the conference's website: https://linuksowa.pl/

Building with AI? 🤖 Then you won’t want to miss tomorrow’s Devoxx France 🏢 workshop with Xavier René-Corail and Joseph Katsioloudes — all about how to build robust AI-powered applications. Shall we play a Game? LLM Security in Practice https://lnkd.in/grbXk8dQ 📍 Paris 142 - Palais des Congrès, Porte Maillot, Paris 🗓️ April 22, 10.30am CET

Catch Shelby Cunningham on stage at CVE/FIRST VulnCon 2026 in Scottsdale, Arizona. Her panel, “Supply Chains and Malware Campaigns: Is CVE the Right Way to Name the Game?”, examines whether CVE is the right tool for tracking open-source supply chain compromises — from isolated package incidents to large-scale campaigns affecting hundreds of packages. Date: April 16, 2026 | 1:15–2:15 PM MST (UTC-7) Learn more: https://lnkd.in/g6YmzEVk

AI agents that execute commands, browse the web, and coordinate with other agents are everywhere. But how do you know they're safe? Season 4 of Github's Secure Code Game lets you find out by hacking one yourself. Free, hands-on, and you can get started in under 2 minutes! Learn more in our latest blog. https://lnkd.in/gacyENSm