John Deere Dependency Confusion Attempt Flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

4 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug
Read More...

npm Package Downloads Another Package While Exfiltrating Your IP Address and Username

By Ax Sharma on May 06, 2022 vulnerabilities

5 minute read time

On any given day we analyze hundreds of suspicious npm and PyPI packages, but this one stood out to us. An npm package that downloads another empty npm package?
Read More...

This Week in Malware—Malicious 'Distutil' and Spring4Shell Active Exploitation

By Ax Sharma on April 22, 2022 github

7 minute read time

A malicious 'Distutil' PyPI package, active Spring4Shell exploitation by attackers deploying cryptominers, An open source tool that enabled users to add Google Play to PCs, but secretly installed
Read More...

VMware VSphere Dependency Confusion Attempt Caught by Sonatype

By Ax Sharma on April 07, 2022 vulnerabilities

6 minute read time

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers.
Read More...

Why Are Dependency Confusion Attacks Not Going Away?

By Ax Sharma on February 09, 2022 dependencies

4 minute read time

Sonatype has caught more than 63,000 suspicious packages, the majority of which are dependency confusion candidates. Why are these attacks not going away?
Read More...

PyPI Flooded With 1,275 Dependency Confusion Packages

By Ax Sharma on January 24, 2022 vulnerabilities

5 minute read time

Popular Python open source software repository, PyPI has been flooded with over 1,200 dependency confusion packages by the same actor.
Read More...

Are You Still Wondering About Dependency Confusion Attacks?

By Luke Mcbride on June 03, 2021 featured

4 minute read time

Despite positive legislation and standards, open source software supply chains remain vulnerable to Dependency Confusion attacks by impersonating legitimate namespace.
Read More...

Securing Software Supply Chains and Dependency Confusion — An Industry Perspective

By Derek Weeks on March 08, 2021 featured

28 minute read time

We sat down with experts from The Linux Foundation, Atlantic Council and Sonatype's own CTO to discuss recent software supply chain attacks, dependency confusion and security concerns.
Read More...

Sonatype Releases New Nexus Firewall Policy to Secure Software Supply Chains from "Dependency Confusion" Attacks

By Brent Kostak on March 04, 2021 Nexus Firewall

5 minute read time

Sonatype’s new Dependency Confusion Policy Protection using Nexus Firewall and Nexus Repository can now automate dependency confusion protection at scale
Read More...