Skip Navigation

New npm PoC packages target PayPal Zettle, Airbnb developers

By Ax Sharma on September 12, 2023 npm

4 minute read time

Sonatype identified npm packages that exploit dependency confusion, named after internal dependencies purportedly used by PayPal Zettle and Airbnb
Read More...

PyTorch namespace (dependency) confusion attack

By Ilkka Turunen on January 04, 2023 News

4 minute read time

During the 2022 holiday season, a dependency confusion attack targeted PyTorch. Here's what users of PyTorch-NightlyBuild need to know.
Read More...

John Deere dependency confusion attempt flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

3 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that.
Read More...

npm package downloads another package while exfiltrating your IP address and username

By Ax Sharma on May 06, 2022 vulnerabilities

4 minute read time

On any given day we analyze hundreds of suspicious npm and PyPI packages, but this one stood out to us. An npm package that downloads another empty npm package?
Read More...

This Week in Malware — Malicious 'Distutil' and Spring4Shell active exploitation

By Ax Sharma on April 22, 2022 github

7 minute read time

A malicious 'Distutil' PyPI package, active Spring4Shell exploitation by attackers deploying cryptominers, An open source tool that enabled users to add Google.
Read More...

VMware VSphere dependency confusion attempt caught by Sonatype

By Ax Sharma on April 07, 2022 vulnerabilities

5 minute read time

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers.
Read More...

Why are dependency confusion attacks not going away?

By Ax Sharma on February 09, 2022 dependencies

4 minute read time

Sonatype has caught more than 63,000 suspicious packages, the majority of which are dependency confusion candidates. Why are these attacks not going away?
Read More...

PyPI flooded with 1,275 dependency confusion packages

By Ax Sharma on January 24, 2022 vulnerabilities

6 minute read time

Popular Python open source software repository, PyPI has been flooded with over 1,200 dependency confusion packages by the same actor.
Read More...

Are you still wondering about dependency confusion attacks?

By Luke Mcbride on June 03, 2021 featured

4 minute read time

Despite positive legislation and standards, open source software supply chains remain vulnerable to Dependency Confusion attacks by impersonating legitimate.
Read More...