This Week in Malware—Typosquats in PyPI, dependency confusion packages

By Hernán Ortiz on August 04, 2022 vulnerabilities

2 minute read time

This Week in Malware we discovered 50 packages that are either malicious or dependency confusion attacks.

Wicked Good Development Episode 13: Hacks and Ax, July Edition

By Kadi Grigg on August 03, 2022 npm

13 minute read time

Ax Sharma, a security researcher at Sonatype and tech journalist, joins Kadi and Omar for his monthly update on protestware and ransomware.

Ransomware in PyPI: Sonatype Spots 'Requests' Typosquats

By Ax Sharma on August 02, 2022 vulnerabilities

8 minute read time

Sonatype has spotted multiple typosquats of the popular Python library, 'requests' that contain ransomware scripts.

Open Source Licensing Shift: Fedora Blocks Creative Commons CC0

By Luke Mcbride on August 01, 2022 Nexus Lifecycle

6 minute read time

Recent news of a popular license no longer allowed in open source projects underlines the ongoing evolution of licenses and legal risk.

StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times

By Ax Sharma on July 26, 2022 vulnerabilities

4 minute read time

An npm package called 'stringjs_lib' identified by Sonatype this week typosquats the popular npm library 'string' (or StringJS) to ship an obfuscated info-stealer obfuscated not one, five times.

This Week in Malware—John Deere dependency confusion attempt and more

By Ax Sharma on July 22, 2022 vulnerabilities

3 minute read time

We discovered and analyzed 17 packages, at least a dozen of which were dependency confusion PoCs directly targeting the agricultural equipment giant John Deere (Deere & Company). An additional 42

John Deere dependency confusion attempt flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

4 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug

Wicked Good Development: Devoxx Poland developer conference recap

By Kadi Grigg on July 15, 2022 Community

24 minute read time

Kadi and Steve talk with Devoxx Poland Developer Conference speakers about their key takeaways and experiences at the Krakow event.

This Week in Malware—July 15th Edition

By Ax Sharma on July 15, 2022 vulnerabilities

2 minute read time

This Week in Malware we identified over 34 npm and PyPI packages that are either dependency confusion candidates, prank packages, contain PoC reverse shell code, or otherwise contain extensive