Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
Image of a line of cones with one knocked over
READ MORE

From feature to vulnerability: A Spring-Security-oauth2-Client story

By Juan Aguirre on August 27, 2021 vulnerabilities

5 minute read time

Taking a deeper dive into a Spring vulnerability and understanding how lack of control over resources can lead to a DoS (Denial of Service).
Read More...
Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt
READ MORE

Damaging Linux and Mac malware bundled within Browserify npm brandjack attempt

By Ax Sharma on April 13, 2021 vulnerabilities

7 minute read time

New malware exists in a brandjacking npm package called web-browserify that imitates the legitimate browserify component
Read More...
CVE-2021-22114 Spring-integration-zip
READ MORE

Deep diving into CVE-2021-22114 spring-integration-zip path traversal

By Juan Aguirre on March 31, 2021 vulnerabilities

3 minute read time

We take a deep dive into CVE-2021-22114, which is causing problems for the second time.
Read More...
PHP and netmask software supply chain attacks
READ MORE

Netmask flaw leaves millions vulnerable while a PHP Git server is hacked in software supply chain attack

By Ax Sharma on March 29, 2021 vulnerabilities

4 minute read time

2 critical software supply chain attacks were uncovered today.
Read More...
PyPI and npm see flood of dependency Confusion Copycats
READ MORE

PyPI and npm flooded with over 5,000 dependency confusion copycats

By Ax Sharma on March 03, 2021 vulnerabilities

4 minute read time

Both PyPi and npm are being inundated with malicious dependency confusion packages.
Read More...
new dependency confusion packages published to the npm ecosystem are malicious in nature.
READ MORE

Newly identified dependency confusion packages target Amazon, Zillow, and Slack; Go beyond just bug bounties

By Ax Sharma on March 01, 2021 vulnerabilities

9 minute read time

Malicious npm dependency confusion packages exfiltrate your bash_history and /etc/shadow files
Read More...
Sonatype Spots Malicious npm Packages Copying Novel Software Supply Chain Attack
READ MORE

Sonatype spots 275+ malicious npm packages copying recent software supply chain attacks that hit 35 organizations

By Ax Sharma on February 12, 2021 vulnerabilities

7 minute read time

48 hours after a security researcher breached 35+ tech companies in a novel software supply chain attack, Sonatype’s Nexus Intelligence flagged 150+ copycat.
Read More...
Dependency Hijacking Software Supply Chain Attack
READ MORE

Dependency hijacking software supply chain attack hits more than 35 organizations

By Ax Sharma on February 09, 2021 vulnerabilities

9 minute read time

A security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
Read More...
READ MORE

CursedGrabber strikes again: Sonatype spots new malware campaign against software supply chains

3 minute read time

Sonatype has determined those behind the CursedGrabber Discord malware family, have published a new malware campaign against software supply chains
Read More...