Critical New 0-day Vulnerability in Popular Log4j Library Discovered | Read Blog

PyPI Flooded with 1,275 Dependency Confusion Packages

By Ax Sharma on January 24, 2022 vulnerabilities
Popular Python open source software repository, PyPI has been flooded with over 1,200 dependency confusion packages by the same actor.
Read More...

npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by their Maintainer—What to do Now?

By Ax Sharma on January 10, 2022 vulnerabilities
Popular npm open source libraries, colors.js, and faker.js were sabotaged by their own maintainer. What does that mean for open source sustainability?
Read More...

Researcher Takes Over qr.js via Repo Hijacking. Is the npm Package Safe?

By Ax Sharma on December 31, 2021 vulnerabilities
Analyzing a live incident of repo jacking that affects the GitHub repository of the popular ‘qr.js’ library.
Read More...

Log4j 2.17.1 fixes another code execution bug, but should you worry?

By Ax Sharma on December 29, 2021 vulnerabilities
News of another possible open source vulnerability connected to Log4j raised eyebrows. A look at the issue, it's disclosure, and our response.
Read More...

Log4shell by the numbers- Why did CVE-2021-44228 set the Internet on Fire?

By Ilkka Turunen on December 14, 2021 vulnerabilities
What the download numbers tell us about the impact of the critical vulnerability CVE-2021-44228
Read More...

Tracking the ‘Noblox.js’ npm Malware Campaign

By Juan Aguirre on November 23, 2021 vulnerabilities
Another malicious npm package, noblox.js-rpc was spotted on registry that leverages familiar techniques to steal all sorts of sensitive data.
Read More...

Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

By Juan Aguirre on October 27, 2021 vulnerabilities
Fake npm Roblox API package discovered by Sonatype uncovers first known ransomware maliciously placed in typosquatted open source package.
Read More...

Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

By Ax Sharma on February 09, 2021 vulnerabilities
A security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
Read More...

The Central Repository Stands to Support Sailors from Bintray - 3 steps to take now to protect your builds from failing

By Ilkka Turunen on February 08, 2021 The Central Repository
We've created a practical guide for Bintray users migrating to the Central Repository to follow and ensure that use and distribution of open source components continues smoothly.
Read More...