Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
READ MORE

New npm PoC packages target PayPal Zettle, Airbnb developers

By Ax Sharma on September 12, 2023 npm

4 minute read time

Sonatype identified npm packages that exploit dependency confusion, named after internal dependencies purportedly used by PayPal Zettle and Airbnb
Read More...
READ MORE

PyTorch namespace (dependency) confusion attack

By Ilkka Turunen on January 04, 2023 News

4 minute read time

During the 2022 holiday season, a dependency confusion attack targeted PyTorch. Here's what users of PyTorch-NightlyBuild need to know.
Read More...
READ MORE

John Deere dependency confusion attempt flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

3 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that.
Read More...
READ MORE

npm package downloads another package while exfiltrating your IP address and username

By Ax Sharma on May 06, 2022 vulnerabilities

4 minute read time

On any given day we analyze hundreds of suspicious npm and PyPI packages, but this one stood out to us. An npm package that downloads another empty npm package?
Read More...
READ MORE

This Week in Malware — Malicious 'Distutil' and Spring4Shell active exploitation

By Ax Sharma on April 22, 2022 github

7 minute read time

A malicious 'Distutil' PyPI package, active Spring4Shell exploitation by attackers deploying cryptominers, An open source tool that enabled users to add Google.
Read More...
Image of a sphere covered by code
READ MORE

VMware VSphere dependency confusion attempt caught by Sonatype

By Ax Sharma on April 07, 2022 vulnerabilities

5 minute read time

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers.
Read More...
Question marks on a chalkboard
READ MORE

Why are dependency confusion attacks not going away?

By Ax Sharma on February 09, 2022 dependencies

4 minute read time

Sonatype has caught more than 63,000 suspicious packages, the majority of which are dependency confusion candidates. Why are these attacks not going away?
Read More...
image of a green python curled up on a tree branch
READ MORE

PyPI flooded with 1,275 dependency confusion packages

By Ax Sharma on January 24, 2022 vulnerabilities

6 minute read time

Popular Python open source software repository, PyPI has been flooded with over 1,200 dependency confusion packages by the same actor.
Read More...
Dependency Confusion open source attacks explained
READ MORE

Are you still wondering about dependency confusion attacks?

By Luke Mcbride on June 03, 2021 featured

4 minute read time

Despite positive legislation and standards, open source software supply chains remain vulnerable to Dependency Confusion attacks by impersonating legitimate.
Read More...