OpenClaw Gets a Foundation While the Software Supply Chain Takes Four New Hits
Techstrong Gang
•
47m
OpenClaw AI agent security gets a governance Foundation
OpenClaw is a viral open-source AI agent framework. It connects to WhatsApp, Telegram, Signal and Discord. It can read email, manipulate files and run scripts on a user's own machine. Now it's getting an independent governance body: the OpenClaw Foundation. Techstrong.ai reports the move follows growing concern over OpenClaw AI agent security. Researchers describe OpenClaw as carrying a "lethal trifecta of risks": deep access to private local data, exposure to untrusted external content, and the ability to communicate outward. That combination is exactly why OpenClaw AI agent security has become an urgent conversation this week.
The Foundation borrows its model from the non-profit stewards of Kubernetes and the Linux kernel. It will provide a neutral home for the codebase, a charter, a technical steering committee and a full-time team. Microsoft, NVIDIA and the University of Michigan are partnering with the new Foundation. Together they aim to shore up OpenClaw AI agent security for the long term.
NVIDIA and LangChain cut enterprise AI agent costs by 10x
NVIDIA and LangChain introduced NemoClaw for LangChain Deep Agents. The blueprint combines NVIDIA's Nemotron 3 Ultra model with LangChain's Deep Agents orchestration layer, according to Techstrong.ai. The tuned configuration scored 0.86 on LangChain's benchmark. It ran at $4.48 per task versus $43.48 for the next-best model. That's roughly a 10x cost reduction. Abridge, Amdocs and Box are already integrating the blueprint.
Cordyceps: one free GitHub account can hijack CI/CD
Novee disclosed Cordyceps, a new exploit chain. It lets any unauthenticated GitHub user hijack CI/CD workflows, according to DevOps.com. Researchers confirmed more than 300 exploitable repositories. The list includes Microsoft and Google, where an attacker reportedly gained unauthenticated control of a Cloud project.
GhostApproval: AI coding tools fall for an old symlink trick
Wiz found a flaw called GhostApproval in six major AI coding assistants. The affected tools are Claude Code, Amazon Q Developer, Google Antigravity, Augment, Cursor and Windsurf, per DevOps.com. The flaw abuses Unix symbolic links. It tricks an agent into writing to files the user never approved. AWS, Cursor and Google shipped fixes. Anthropic first rejected the finding, then added a warning.
HalluSquatting turns AI hallucinations into a botnet delivery system
Researchers at Tel Aviv University and Technion built HalluSquatting. They pre-registered the exact fake package names AI coding assistants tend to hallucinate, according to The Hacker News. Six assistants — including Cursor, Copilot and Gemini CLI — became unwitting botnet installers. The attack needs no exploit and no malware, just text the AI reads.
North Korea expands PolinRider to four open-source ecosystems
North Korea-linked groups Famous Chollima and APT37 expanded their PolinRider campaign. It now hits npm, Packagist, Go modules and the Chrome Store, per DevOps.com. The group planted more than 108 malicious packages. They hide loaders in whitespace padding and fake .woff2 files, and rewrite Git history to look legitimate.
TrojPix: when the video cable becomes the leak
Researchers at Shandong University built TrojPix. It modulates on-screen pixels so a video cable radiates a decodable radio signal, according to Security Boulevard. The signal moves at 8.1 Mbps and reaches up to 208 meters. It needs no admin rights and no hardware changes. The technique works across nine monitor brands and 15 cable types.
Watch the full episode
Hosts: Mike Vizard
Guests: Jack Poller, Jeff Reich, Tracy Ragan
For more on how teams are approaching OpenClaw AI agent security, watch our related coverage on the Techstrong Gang show page. Browse the full Techstrong TV video library for daily analysis of the stories shaping DevOps, security and AI.
Up Next in Techstrong Gang
-
Windows Telemetry Cracks a Hacker Cas...
A Windows device ID caught an alleged Scattered Spider hacker despite VPN use. China's NVDB flags a "backdoor" in Anthropic's Claude Code. Ex-GitHub CEO Thomas Dohmke unveils a distributed Git network for AI agents. And Alan Shimel makes the case that AI didn't steal your thinking — you gave it a...
-
NVIDIA's AI Cloud Revenue Grab, the A...
NVIDIA now takes a cut of AI cloud revenue, not just hardware sales. A YouGov survey reveals how deeply AI has embedded into young Americans' personal lives. And Hollywood fights over AI actress Tilly Norwood, Scorsese, and Google's A24 deal. Techstrong Gang breaks it all down.
-
Apple-Broadcom AI Chip Deal, IBM's Ma...
Apple Broadcom AI chip partnership extends through 2031
Broadcom has secured a major long-term extension to supply custom semiconductors to Apple through 2031, according to regulatory filings reported by Techstrong Semi. The deal covers application-specific integrated circuits (ASICs) that will ...