Featured Article

CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma

By Ilkka Turunen on April 01, 2024 Software Supply Chain

Learn about a new, targeted backdoor supply chain attack against the popular XZ compression utility seen in many Linux distributions such as fedora and debian. Understand its impact, potential risks

Read More

The history of Maven Central and Sonatype: A journey from past to present

By Aaron Linskens on November 14, 2023 Software Supply Chain

11 minute read time

Explore the evolution of Maven Central, highlighting its crucial role in the Java ecosystem and software development overall and its connection to Sonatype

Read More...

SAST vs. DAST: Enhancing application security

By Aaron Linskens on September 21, 2023 DAST

7 minute read time

Explore advantages and limits of static application security testing SAST and dynamic application security testing DAST in application security

Read More...

npm packages caught exfiltrating Kubernetes config, SSH keys

By Ax Sharma on September 19, 2023 npm

4 minute read time

Sonatype tracks an ongoing campaign that uses npm packages to retrieve and exfiltrate Kubernetes configuration and SSH keys to an external server

Read More...

New npm PoC packages target PayPal Zettle, Airbnb developers

By Ax Sharma on September 12, 2023 npm

4 minute read time

Sonatype identified npm packages that exploit dependency confusion, named after internal dependencies purportedly used by PayPal Zettle and Airbnb

Read More...

A guide for open source software (OSS) security

By Aaron Linskens on August 28, 2023 secure software supply chain

6 minute read time

Evaluate open source software (OSS) security to ensure safe usage of software components in software development life cycles and software supply chains

Read More...

Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

By Ax Sharma on August 03, 2023 Open Source

3 minute read time

A malicious PyPI package ‘VMConnect’ designed to resemble VMware vSphere Connector Module was caught by Sonatype’s automated malware detection systems

Read More...

Getting started with the Secure Software Development Framework (SSDF)

By Aaron Linskens on July 27, 2023 Software Supply Chain

6 minute read time

Discover how to get started with the Secure Software Development Framework (SSDF), what it contains, and why should you leverage it

Read More...

“Quoi...? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer

By Ax Sharma on July 17, 2023 PyPI

3 minute read time

A malicious PyPI package called ‘feur’ was caught by Sonatype’s automated malware detection systems

Read More...

A closer look: Differentiating software vulnerabilities and malware

By Aaron Linskens on July 11, 2023 vulnerabilities

7 minute read time

Vulnerabilities and malware in open source software pose significant threats to the security and integrity of your software supply chain

Read More...

Previous Next

CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma

The history of Maven Central and Sonatype: A journey from past to present

SAST vs. DAST: Enhancing application security

npm packages caught exfiltrating Kubernetes config, SSH keys

New npm PoC packages target PayPal Zettle, Airbnb developers

A guide for open source software (OSS) security

Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

Getting started with the Secure Software Development Framework (SSDF)

“Quoi...? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer

A closer look: Differentiating software vulnerabilities and malware

Secure your software supply chain

Subscribe for all the latest software security news and events