Critical New 0-day Vulnerability in Popular Log4j Library Discovered | Read Blog

New Year, New CVE: a Deep Dive into the ‘node-forge’ (CVE-2022-0122)

By Juan Aguirre on January 25, 2022 vulnerabilities
There's no better way to kick off the new year than with an analysis of an open source vulnerability affecting the popular node-forge component on npm.
Read More...

PyPI Flooded with 1,275 Dependency Confusion Packages

By Ax Sharma on January 24, 2022 vulnerabilities
Popular Python open source software repository, PyPI has been flooded with over 1,200 dependency confusion packages by the same actor.
Read More...

New Log4j 1.x CVEs, and critical Chainsaw Vulnerability — What to Do?

By Ax Sharma on January 21, 2022 vulnerabilities
Apache disclosed 3 vulns impacting Log4j 1.x versions, which included info on a critical Apache Chainsaw vulnerability buried within.
Read More...

'Faker' npm Library Gets New Home After Dev Throws in the Towel

By Ax Sharma on January 18, 2022 npm
Reputable maintainers have taken over the popular (and crucial) open source component "Faker", and it's already seeing traction.
Read More...

npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer—What to do Now?

By Ax Sharma on January 10, 2022 vulnerabilities
Popular npm open source libraries, colors.js, and faker.js were sabotaged by their own maintainer. What does that mean for open source sustainability?
Read More...

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

By Andrew Yorra on January 06, 2022 legal
Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.
Read More...

How Large Organizations Can Easily Scan for Log4j Vulnerabilities

By Rishav Mishra on December 31, 2021 Nexus Lifecycle
Large orgs looking for the Log4j vulnerability in 1000s of apps, can be more effective and efficient with Nexus Lifecycle and Easy SCM Onboarding.
Read More...

Researcher Takes Over qr.js via Repo Hijacking. Is the npm Package Safe?

By Ax Sharma on December 31, 2021 vulnerabilities
Analyzing a live incident of repo jacking that affects the GitHub repository of the popular ‘qr.js’ library.
Read More...

New Nexus Repository Visualizer Provides Insights into Log4j Usage

By Chris Good on December 30, 2021 Nexus Repository
Vulnerable Log4j components are still in active use. New functionality available for Sonatype's Nexus Repository monitors and helps address these issues.
Read More...