IBM drops $5 billion to sweep open-source vulnerabilities! Recruiting 20,000 engineers for the mission, with 6 major financial giants already onboard

IBM has partnered with its open-source subsidiary Red Hat to officially launch "Project Lightwell," investing $5 billion and mobilizing 20,000 full-time engineers to scan open-source software vulnerabilities at scale using cutting-edge AI technology. Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley have already joined the platform as early partners, with protection coverage significantly expanding from Red Hat's own environment to AI frameworks, code repositories, and distributed infrastructure such as Apache Kafka. Compiled and reported by BlockTempo. (Background: AI package LiteLLM with nearly a billion monthly downloads hit by supply chain attack, crypto wallets and SSH keys completely compromised) (Context: AI security startup Depthfirst beats Anthropic Mythos! Uncovers 18-year-old vulnerability lurking in NGINX) Key Highlights - IBM partners with Red Hat to launch Project Lightwell, investing $5 billion and mobilizing 20,000 engineers to identify and fix open-source software vulnerabilities using AI technology - Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley have joined the platform as early partners - Protection coverage expands from Red Hat's own systems to AI frameworks, code repositories, and a broader open-source technology ecosystem including Apache Kafka Since this year, the frequency and destructive power of open-source software supply chain attacks have been accelerating. In March, the AI package LiteLLM, with nearly a billion monthly downloads, was injected with malicious code that stole crypto wallet private keys and SSH keys; in May, even computers belonging to OpenAI employees were affected by the TanStack npm supply chain attack. IBM chose this moment to act, expanding Red Hat's security capabilities from "in-house systems" to the entire open-source ecosystem. Project Lightwell is no small undertaking, including a $5 billion investment and 20,000 full-time engineers. These engineers all come from IBM's existing workforce, 100% dedicated to vulnerability identification and remediation—not outsourced, not part-time, not nominal consultants. Red Hat Expands Again Previously, Red Hat's security tools and vulnerability scanning were primarily confined to its own system environments, such as RHEL (Red Hat Enterprise Linux) and OpenShift. Project Lightwell breaks through this boundary. Protection coverage extends significantly outward, covering a broader technology ecosystem including AI frameworks (TensorFlow, PyTorch, etc.), open-source code repositories, and the distributed data streaming platform Apache Kafka. Kafka is widely used in the global financial industry—JPMorgan Chase once posted over 500 job openings requiring Kafka experience. It is the underlying nervous system for real-time transaction processing, risk monitoring, and regulatory reporting. When your real-time payment system runs on Kafka at its core, and one of Kafka's dependencies gets injected with malicious code, your firewall can't save you. This is precisely the layer IBM is targeting. Six Financial Giants Board First When Project Lightwell was announced, it came with six early partners on board: Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley. This list essentially covers the core of the U.S. financial industry, including the two largest commercial banks, the two major card networks, a wealth management leader, and a retail banking giant. What they have in common is deep reliance on open-source infrastructure—from Kafka to Kubernetes to various AI inference frameworks, every layer could potentially become an entry point for supply chain attacks. IBM just announced in May this year an expansion of its AI security product portfolio and deepened its partnership with Anthropic under the name Project Glasswing. Project Lightwell is the next move in the same game. For the financial industry, this line of defense isn't coming too early. In just the first five months of this year, open-source supply chain attacks have already cost numerous tech companies and developers dearly. FAQ Are the 20,000 engineers for Project Lightwell newly hired? No. All 20,000 full-time engineers come from IBM's existing workforce, 100% dedicated to identifying and fixing open-source software vulnerabilities, with no external recruitment involved. How does Project Lightwell differ from Red Hat's existing security services? Previously, Red Hat's security tools were primarily confined to its own system environments (such as RHEL, OpenShift). Project Lightwell expands protection coverage to AI frameworks, open-source code repositories, and a broader open-source technology ecosystem including Apache Kafka.