Featured Article

CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma

By Ilkka Turunen on April 01, 2024 Software Supply Chain

Learn about a new, targeted backdoor supply chain attack against the popular XZ compression utility seen in many Linux distributions such as fedora and debian. Understand it's impact, potential risks

Read More

npm flooded with 748 packages that store movies

By Ax Sharma on January 25, 2024 vulnerabilities

4 minute read time

The Sonatype Security Research team came across 748 packages flooding the npm software registry.

Read More...

Fake 'distube-config' npm package drops Windows info-stealing malware

By Ax Sharma on January 24, 2024 vulnerabilities

3 minute read time

Sonatype identified two npm packages that typosquat open source packages like Discord modules, in an attempt to infect Windows users with a Trojan

Read More...

What is the OWASP Top 10?

By Aaron Linskens on January 12, 2024 vulnerabilities

7 minute read time

Discover the significance of OWASP in cybersecurity – What is OWASP and why it is vital for developers and organizations? Dive deeper with Sonatype.

Read More...

DevSecOps tools: A beginner's guide

By Aaron Linskens on January 05, 2024 Open Source

6 minute read time

Explore categories of DevSecOps tools and their distinct use cases and roles in reshaping modern software development practices

Read More...

'everything' matters — why the npm package sparked controversy

By Ax Sharma on January 04, 2024 npm

4 minute read time

An npm package sparked controversy after its publication. Understand what it does and how you can safeguard yourself against such packages.

Read More...

Unraveling the Struts2 security vulnerability: A deep dive

By Aaron Linskens on December 21, 2023 security vulnerabilities

6 minute read time

Learn about the critical security vulnerability in Apache Struts2 from a Sonatype webinar covering CVE-2023-50164 with a risk of remote code execution

Read More...

Struts2 CVE-2023-50164 by the numbers

By Ilkka Turunen on December 19, 2023 vulnerability disclosure

5 minute read time

Struts2 security vulnerability is not like Log4j, but it is similar to historic breaches and has the potential for disaster if not addressed properly.

Read More...

OpenSSF responds to CISA, advocates for a multifaceted approach to software identification

By Aaron Linskens on December 18, 2023 government

5 minute read time

OpenSSF published a response to CISA's request for comment on their white paper about software identification

Read More...

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

By Jeff Wayman on December 14, 2023 vulnerabilities

6 minute read time

The recent identification of CVE-2023-50164 in Apache Struts is quite similar to other vulnerabilities Sonatype has seen and covered in the past.

Read More...

Previous Next

CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma

npm flooded with 748 packages that store movies

Fake 'distube-config' npm package drops Windows info-stealing malware

What is the OWASP Top 10?

DevSecOps tools: A beginner's guide

'everything' matters — why the npm package sparked controversy

Unraveling the Struts2 security vulnerability: A deep dive

Struts2 CVE-2023-50164 by the numbers

OpenSSF responds to CISA, advocates for a multifaceted approach to software identification

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

Secure your software supply chain

Subscribe for all the latest software security news and events