Malicious npm 'colors' typosquats pack Discord malware

By Ax Sharma on May 03, 2022 vulnerabilities

5 minute read time

Sonatype has caught newer typosquats of the popular 'colors' npm library that contain Discord info-stealing malware.
Read More...

This Week in Malware—npm backdoors, bugs, 'mystery placeholders'

By Ax Sharma on April 29, 2022 vulnerabilities

6 minute read time

This Week in Malware we discuss malicious packages with backdoors and hidden Discord stealers, a serious npm bug that allowed for maintainer tampering, and hundreds of 'mystery placeholders' we are
Read More...

This Week in Malware - Special Edition on Protestware and a Struts RCE Deja Vu

By Ax Sharma on April 15, 2022 vulnerabilities

4 minute read time

In a special edition of This Week in Malware, we change focus and look at protestware and the tale of a two-year-old Struts bug that's returned.
Read More...

VMware VSphere dependency confusion attempt caught by Sonatype

By Ax Sharma on April 07, 2022 vulnerabilities

6 minute read time

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers.
Read More...

Spring4Shell – by the numbers

By Ilkka Turunen on April 04, 2022 component vulnerability

6 minute read time

Spring4Shell, a new 0-day RCE, is not quite as bad as Log4shell but has a wide blast radius. We dive into the numbers on how the world is fixing the issue.
Read More...

Fixing a vulnerability? Make sure your GitHub isn't showing too much

By Ax Sharma on April 04, 2022 github

5 minute read time

February's $326 million crypto hack at Wormhole and this month's findings by Sonatype shed light on the importance of secrets management for open source developers.
Read More...

New Spring Framework RCE Vulnerability Confirmed - What to do?

7 minute read time

A new remote code execution flaw dubbed Springshell is affecting Spring-beans, exploiting a previously unknown security vulnerability.
Read More...

86 Malicious npm Packages Named After Popular NodeJS Functions

By Ax Sharma on March 28, 2022 vulnerabilities

4 minute read time

Sonatype has now discovered 83 packages on the npm open source repository named after popular NodeJS & JavaScript functions that exfiltrate system information.
Read More...

This week in malware—400+ npm packages target Azure, Uber, Airbnb developers

By Ax Sharma on March 25, 2022 vulnerabilities

12 minute read time

This week in malware—Dive Deep into this week's findings from Sonatype's automated malware detection system.
Read More...