Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
Illustrated picture of lightning bults with skulls raining down on 3 umbrellas
READ MORE

EU Cyber Resilience Act: Good for software supply chain security, bad for open source?

By Brian Fox on December 22, 2022 secure software supply chain

10 minute read time

The Cyber Resilience Act is the European Union's proposed regulation to combat threats affecting any digital entity. What does that mean for open source?
Read More...
Stylized Sonatype logo and article name
READ MORE

Introducing our 8th annual State of the Software Supply Chain

2 minute read time

Announcing the arrival of our 8th Annual State of the Software Supply Chain Report looking at managing open source security, industry trends, and more.
Read More...
READ MORE

Ransomware in PyPI: Sonatype spots 'Requests' typosquats

By Ax Sharma on August 02, 2022 vulnerabilities

7 minute read time

Sonatype has spotted multiple typosquats of the popular Python library, 'requests' that contain ransomware scripts.
Read More...
READ MORE

StringJS typosquat deploys Discord infostealer obfuscated five times

By Ax Sharma on July 26, 2022 vulnerabilities

4 minute read time

An npm package called 'stringjs_lib' identified by Sonatype this week typosquats the popular npm library 'string' (or StringJS) to ship an obfuscated.
Read More...
READ MORE

John Deere dependency confusion attempt flagged by Sonatype

By Ax Sharma on July 21, 2022 vulnerabilities

3 minute read time

Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that.
Read More...
READ MORE

PyPI packages steal Telegram cache files, add Windows Remote Desktop accounts

By Ax Sharma on July 07, 2022 vulnerabilities

3 minute read time

We analyze Python packages that steal Telegram Desktop client files and set up Remote Desktop access accounts after infecting Windows systems.
Read More...
READ MORE

python-dateutils — A cryptominer in disguise targeting Windows, Linux, macOS

By Ax Sharma on June 29, 2022 vulnerabilities

5 minute read time

We analyze a suspicious 'python-dateutils' PyPI package targeting Python developers to mine cryptocurrency after infecting their Windows, macOS or Linux.
Read More...
READ MORE

Python packages upload your AWS keys, env vars, secrets to the web

By Ax Sharma on June 23, 2022 vulnerabilities

5 minute read time

Multiple Python packages caught by Sonatype were seen uploading secrets such as AWS keys and environment variables to a web endpoint.
Read More...
Image of a progressive pride flag being held on the back of a person, depicted in a hexagon shape with a purple background
READ MORE

Yes, understanding gender is a professional issue

By Kelsey Hoffman (they/them) on June 15, 2022 featured

8 minute read time

Gender is a complex and frequently misunderstood topic. It's also a topic that we should all be talking about at work.
Read More...