Comparing and converting between SBOM formats

10 minute read time

A step-by-step guide on how to convert between SBOM formats using tooling from the official repositories of SPDX and CycloneDX.
Read More...

npm packages spread 'Bladeroid' crypto-stealer, hijack your Instagram

By Ax Sharma on February 29, 2024 vulnerabilities

4 minute read time

Sonatype has identified multiple open source packages that infect npm developers with a Windows info-stealer and crypto-stealer called Bladeroid
Read More...

The curious case of 'csrf-magic': A case study in supply chain poisoning

By Ax Sharma on February 27, 2024 vulnerability

5 minute read time

Learn how a so-called code injection vulnerability was in fact a backdoor in an open source component, csrf-magic, to help secure your application against Cross-Site Request Forgery attacks.
Read More...

Exploited Ivanti Connect SSRF vulnerability traced back to 'xmltooling' OSS library

By Ax Sharma on February 05, 2024 vulnerability

5 minute read time

It might be a little known fact that one of the high severity zero-days found in Ivanti devices is actually present in an open source component that the company has deployed in its products. Ivanti's
Read More...

npm flooded with 748 packages that store movies

By Ax Sharma on January 25, 2024 vulnerabilities

4 minute read time

The Sonatype Security Research team came across 748 packages flooding the npm software registry.
Read More...

DevSecOps tools: A beginner's guide

By Aaron Linskens on January 05, 2024 Open Source

6 minute read time

Explore categories of DevSecOps tools and their distinct use cases and roles in reshaping modern software development practices
Read More...

'everything' matters — why the npm package sparked controversy

By Ax Sharma on January 04, 2024 npm

4 minute read time

An npm package sparked controversy after its publication. Understand what it does and how you can safeguard yourself against such packages.
Read More...

Unraveling the Struts2 security vulnerability: A deep dive

By Aaron Linskens on December 21, 2023 security vulnerabilities

6 minute read time

Learn about the critical security vulnerability in Apache Struts2 from a Sonatype webinar covering CVE-2023-50164 with a risk of remote code execution
Read More...

Struts2 CVE-2023-50164 by the numbers

By Ilkka Turunen on December 19, 2023 vulnerability disclosure

5 minute read time

Struts2 security vulnerability is not like Log4j, but it is similar to historic breaches and has the potential for disaster if not addressed properly.
Read More...