Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

By Juan Aguirre on October 27, 2021 vulnerabilities

11 minute read time

Fake npm Roblox API package discovered by Sonatype uncovers first known ransomware maliciously placed in typosquatted open source package.

Popular npm Project Used by Millions Hijacked in Supply-Chain Attack

By Ax Sharma on October 25, 2021 vulnerabilities

7 minute read time

Companies are assessing impact from compromise of a popular npm project that may have introduced cryptominers and password stealers into their systems.

Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices

By Ax Sharma on October 20, 2021 vulnerabilities

5 minute read time

Sonatype’s automated malware detection system has caught multiple malicious packages on the npm registry this month.

From Feature to Vulnerability: a spring-security-oauth2-client Story

By Juan Aguirre on August 27, 2021 vulnerabilities

5 minute read time

Taking a deeper dive into a Spring vulnerability and understanding how lack of control over resources can lead to a DoS (Denial of Service).

This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites

By Ax Sharma on July 16, 2021 vulnerabilities

5 minute read time

Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS, that threatened the security, integrity, and availability of the wider supply chain.

Sonatype Catches New PyPI Cryptomining Malware

By Ax Sharma on June 21, 2021 vulnerabilities

8 minute read time

New malicious typosquatting packages infiltrating the PyPI repository identified that secretly pull in cryptominers.

Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm

By Ax Sharma on June 08, 2021 featured

10 minute read time

We're rounding up the top 8 malicious cyber attacks on npm that Sonatype has discovered with its next-gen open source security and malware detection tool.

Damaging Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt

By Ax Sharma on April 13, 2021 vulnerabilities

6 minute read time

New malware exists in a brandjacking npm package called web-browserify that imitates the legitimate browserify component

Deep Diving into CVE-2021-22114 Spring-integration-zip Path Traversal

By Juan Aguirre on March 31, 2021 vulnerabilities

3 minute read time

We take a deep dive into CVE-2021-22114, which is causing problems for the second time.