Sonatype Introduces Next Generation Dependency Management | Press Release

Ax Sharma

Endorsed an Exceptional Talent (‘a recognized leader’) in technology by the British Government, Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets like Fortune, The Register, TechRepublic, CSO Online, BleepingComputer, etc. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.

Discord squashes critical Electron bugs: open source attacks continue to grow

By Ax Sharma on October 21, 2020 Nexus Lifecycle
Discord recently patched a set of critical vulns that could allow a skilled attacker to gain Remote Code Execution privileges on the users’ Desktop app.
Read More...

Sonatype finds malicious npm packages which broadcast your IP, username, and device fingerprint info on the web

By Ax Sharma on September 30, 2020 vulnerabilities
Initially found by Sonatype's malicious code detection bots, our researchers have discovered and confirmed the presence of two new vulnerable npm packages, electorn and loadyaml.
Read More...

Inside the “fallguys” malware that steals your browsing data and gaming IMs; Continued attack on open source software

By Ax Sharma on September 02, 2020 vulnerabilities
This weekend a malicious component called “fallguys” was discovered on npm impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was
Read More...

From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

By Ax Sharma on August 19, 2020 vulnerabilities
August's Nexus Intelligence Insight looks at the NodeJS component express-fileupload which now has a critical Prototype Pollution vulnerability.
Read More...

Nexus Intelligence Insights:CVE-2020-13935 - Apache Tomcat Websocket - Denial of Service (DoS)

By Ax Sharma on July 29, 2020 vulnerabilities
July’s Nexus Intelligence Insight takes a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component.
Read More...

Nexus Intelligence Insights: xlsx aka SheetJS - Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

By Ax Sharma on May 06, 2020 vulnerabilities
The ReDoS vulnerability impacting the popular npm component SheetJS, also known as “xlsx,” was thought to be remedied through a fix, but no, not so fast.
Read More...

Nexus Intelligence Insights: Protect Your Bitcoin from 700+ Malicious RubyGems with sonatype-2020-0196

By Ax Sharma on April 23, 2020 vulnerability
Crafty attackers take advantage of the open source software supply chain through typographical errors. Not even the most sophisticated devs are immune.
Read More...

Nexus Intelligence Insights: CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE)

By Ax Sharma on March 18, 2020 vulnerabilities
This Nexus Intelligence Insight covers CVE-2019-3773: cross site scripting vulnerabilities in Spring Web Services XML External Entity Injection (XXE).
Read More...

Nexus Intelligence Insights: What's in a Ghostcat? CVE-2020-1938 Apache Tomcat - Local File Inclusion Potentially Leads to RCE

By Ax Sharma on March 09, 2020 vulnerabilities
Ghostcat manipulates the widely used Apache Tomcat web server. No version of Tomcat released in the last 13 years is immune, unless properly patched.
Read More...