Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
READ MORE

npm package disables Windows Defender before dropping Trojan

By Ax Sharma on June 13, 2022 vulnerabilities

3 minute read time

npm package 'flame-vali' makes multiple attempts to disable Windows Defender on the infected system before downloading a cryptominer.
Read More...
Picture of a knot in a cord
READ MORE

How to manage your open source licenses in 2022

By Luke Mcbride on June 02, 2022 licenses

7 minute read time

Development teams are using openly licensed software in their process, and lots of it. To comply with the requirements, you need license management tools.
Read More...
Gavel with government building behind it
READ MORE

A clear path forward toward more secure and maintainable open source software

By Brian Fox on May 13, 2022 featured

7 minute read time

Sonatype CTO shares thoughts following conversations, led by OpenSSF, where industry and government came together to discuss securing open source software.
Read More...
a woman shouts into a megaphone
READ MORE

Take control of your InnerSource components with InnerSource insight

By Chris Good on May 11, 2022 featured

7 minute read time

InnerSource Insight, an industry-first capability, makes it easier and safer for developers to use components developed by others in their organization.
Read More...
READ MORE

npm package downloads another package while exfiltrating your IP address and username

By Ax Sharma on May 06, 2022 vulnerabilities

4 minute read time

On any given day we analyze hundreds of suspicious npm and PyPI packages, but this one stood out to us. An npm package that downloads another empty npm package?
Read More...
READ MORE

Malicious npm 'colors' typosquats pack Discord malware

By Ax Sharma on May 03, 2022 vulnerabilities

5 minute read time

Sonatype has caught newer typosquats of the popular 'colors' npm library that contain Discord info-stealing malware.
Read More...
READ MORE

This Week in Malware — npm backdoors, bugs, 'mystery placeholders'

By Ax Sharma on April 29, 2022 vulnerabilities

6 minute read time

This Week in Malware we discuss malicious packages with backdoors and hidden Discord stealers, a serious npm bug that allowed for maintainer tampering, and.
Read More...
READ MORE

This Week in Malware - Special edition on protestware and a Struts RCE deja vu

By Ax Sharma on April 15, 2022 vulnerabilities

4 minute read time

In a special edition of This Week in Malware, we change focus and look at protestware and the tale of a two-year-old Struts bug that's returned.
Read More...
Image of a sphere covered by code
READ MORE

VMware VSphere dependency confusion attempt caught by Sonatype

By Ax Sharma on April 07, 2022 vulnerabilities

5 minute read time

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers.
Read More...