IBM cracks down with $5 billion to address open-source vulnerabilities! It’s seeking 20,000 engineers to jump in—6 major financial giants have already joined in.

IBM teams up with its open-source subsidiary Red Hat to officially launch the “Project Lightwell” program, investing 5 billion USD and mobilizing 20,000 full-time engineers to scan open-source software at scale for vulnerabilities using cutting-edge AI technology. Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley have joined the platform as early partners, with the scope of protection expanding dramatically from Red Hat’s own environments to a broader ecosystem of distributed infrastructure such as AI frameworks, code repositories, and Apache Kafka. Compiled and reported by Dongqu Dongqu.
(Background: AI package LiteLLM, with nearly 100 million downloads per month, was used for supply-chain attacks, leaving crypto wallets and SSH keys compromised across the board.)
(Additional background: AI security startup Depthfirst defeats Anthropic Mythos—uncovering an NGINX vulnerability that has been lurking for 18 years.)

Key Highlights

• IBM teams up with Red Hat to launch Project Lightwell, investing 5 billion USD and mobilizing 20,000 engineers to identify and fix open-source software vulnerabilities with AI technology
• Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley have joined the platform as early partners
• The protection scope expands from Red Hat’s own systems to include a wide range of open-source technology ecosystems such as AI frameworks, code repositories, and Apache Kafka

Since this year began, the frequency and destructive impact of open-source software supply-chain attacks have been rapidly escalating. In March, the AI package LiteLLM, which saw nearly 100 million monthly downloads, was implanted with malicious code to steal crypto wallet private keys and SSH keys; in May, even computers used by OpenAI employees were affected by supply-chain attacks targeting TanStack npm. IBM chose to move at this point in time, extending the security capabilities of its Red Hat unit from “its own systems” to the entire open-source ecosystem.

Project Lightwell is no small undertaking, including a 5 billion USD investment and 20,000 full-time engineers. These engineers are all drawn from IBM’s existing employee headcount; they are 100% focused on vulnerability identification and remediation. There is no outsourcing, no part-time staffing, and no named consultants.

Red Hat expands again

Previously, Red Hat’s security tools and vulnerability scanning were mainly limited to its own system environments, such as RHEL (Red Hat Enterprise Linux) and OpenShift.

Project Lightwell breaks through this boundary. The protection scope is expanded substantially outward, covering a broader technical ecosystem including AI frameworks (such as TensorFlow and PyTorch), open-source code repositories, and distributed data streaming platforms such as Apache Kafka. Kafka is widely used across the global financial industry; JPMorgan Chase once posted more than 500 job openings requiring Kafka experience. It is the underlying “neural system” for real-time transaction processing, risk monitoring, and regulatory reporting.

When your real-time payments system runs on Kafka, and a dependency of Kafka has been implanted with malicious code, firewalls won’t be able to help. That is exactly the layer IBM is targeting.

Six financial giants get on board first

When Project Lightwell was announced, it came with six early partners: Bank of America, JPMorgan Chase, Visa, Mastercard, Wells Fargo, and Morgan Stanley.

This lineup basically covers the core of the U.S. financial industry, including two of the largest commercial banks, two major card organizations, a leading wealth management firm, and a retail banking giant. Their common feature is deep reliance on open-source infrastructure—ranging from Kafka to Kubernetes to various AI inference frameworks—where each layer could become an entry point for supply-chain attacks.

In May this year, IBM only just announced an expansion of its AI security product portfolio, and under the name Project Glasswing, it further deepened collaboration with Anthropic. Project Lightwell is the next move in the same strategic plan.

For the financial industry, this line of defense does not arrive too early. Just in the first five months of this year alone, open-source supply-chain attacks have already caused major costs for multiple technology companies and developers.

Frequently Asked Questions

Are the 20,000 engineers in Project Lightwell newly hired?

No. All 20,000 full-time engineers come from IBM’s existing staff, are 100% dedicated to open-source software vulnerability identification and remediation, and do not involve external hiring.

How is Project Lightwell different from Red Hat’s existing security services?

Previously, Red Hat’s security tools mainly focused on its own system environments (such as RHEL and OpenShift). Project Lightwell expands the protection scope to include AI frameworks, open-source code repositories, and broader open-source technology ecosystems such as Apache Kafka.