The Shifting Landscape of Open Source Supply Chain Attacks - Part 3

By Brian Fox on January 26, 2023 thought leaders

11 minute read time

Brian Fox shares insights on who’s responsible for the security of software supply chains, and how orgs can minimize impact on efficiency and speed.
Read More...

The Shifting Landscape of Open Source Supply Chain Attacks - Part 2

By Brian Fox on January 25, 2023 thought leaders

11 minute read time

Sonatype's Brian Fox delves into how bad actors and cybercriminals are attacking the software supply chain, and how cyberattacks continue to evolve.
Read More...

The Shifting Landscape of Open Source Supply Chain Attacks - Part 1

By Brian Fox on January 24, 2023 thought leaders

8 minute read time

A deep dive into how modern supply chains manage problems, and how companies looking to secure their software supply chains can learn from their mistakes.
Read More...

EU Cyber Resilience Act: Good for Software Supply Chain Security, Bad for Open Source?

By Brian Fox on December 22, 2022 secure software supply chain

10 minute read time

The Cyber Resilience Act is the European Union's proposed regulation to combat threats affecting any digital entity. What does that mean for open source?
Read More...

Introducing Our 8th Annual State of the Software Supply Chain Report

2 minute read time

Announcing the arrival of our 8th Annual State of the Software Supply Chain Report looking at managing open source security, industry trends, and more.
Read More...

Ransomware in PyPI: Sonatype Spots 'Requests' Typosquats

By Ax Sharma on August 02, 2022 vulnerabilities

8 minute read time

Sonatype has spotted multiple typosquats of the popular Python library, 'requests' that contain ransomware scripts.
Read More...

StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times

By Ax Sharma on July 26, 2022 vulnerabilities

4 minute read time

An npm package called 'stringjs_lib' identified by Sonatype this week typosquats the popular npm library 'string' (or StringJS) to ship an obfuscated info-stealer obfuscated not one, five times.
Read More...

John Deere Dependency Confusion Attempt Flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

4 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug
Read More...

PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts

By Ax Sharma on July 07, 2022 vulnerabilities

4 minute read time

We analyze Python packages that steal Telegram Desktop client files and set up Remote Desktop access accounts after infecting Windows systems.
Read More...