This week in malware, Sonatype's automated malware detection systems have flagged over four dozen packages on both the npm and PyPI registries. Most of these packages are dependency confusion candidates published as proof-of-concept (PoC) exercises by security enthusiasts and bug bounty hunters.
npm and PyPI Dependency Confusion Candidates
This week, Sonatype’s automated malware detection system, offered as a part of Nexus Firewall flagged the following packages on npm and PyPI registries:
The discovery follows our last week's report listing 120+ packages we'd identified that comprise malware and/or dependency confusion packages.
Turn on Nexus Firewall for Automatic Protection
As a DevSecOps organization, we remain committed to identifying and halting threats to open source developers and the wider software supply chain.
Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start.
Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.