Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
READ MORE

From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

By Ax Sharma on August 19, 2020 vulnerabilities

5 minute read time

August's Nexus Intelligence Insight looks at the NodeJS component express-fileupload which now has a critical Prototype Pollution vulnerability.
Read More...
apache tomcat vulnerability
READ MORE

Sonatype Intelligence Insights: CVE-2020-13935 - Apache Tomcat Websocket - Denial of Service (DoS)

By Ax Sharma on July 29, 2020 vulnerabilities

4 minute read time

July’s Nexus Intelligence Insight takes a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component.
Read More...
READ MORE

Nexus Intelligence Insights: xlsx aka SheetJS - Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

By Ax Sharma on May 06, 2020 vulnerabilities

3 minute read time

The ReDoS vulnerability impacting the popular npm component SheetJS, also known as “xlsx,” was thought to be remedied through a fix, but no, not so fast.
Read More...
bitcoin
READ MORE

Nexus Intelligence Insights: Protect Your Bitcoin from 700+ Malicious RubyGems with sonatype-2020-0196

By Ax Sharma on April 23, 2020 vulnerability

3 minute read time

Crafty attackers take advantage of the open source software supply chain through typographical errors. Not even the most sophisticated devs are immune.
Read More...
Spring Web
READ MORE

Nexus Intelligence Insights: CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE)

By Ax Sharma on March 18, 2020 vulnerabilities

3 minute read time

This Nexus Intelligence Insight covers CVE-2019-3773: cross site scripting vulnerabilities in Spring Web Services XML External Entity Injection (XXE).
Read More...
ghostcat
READ MORE

Nexus Intelligence Insights: What's in a Ghostcat? CVE-2020-1938 Apache Tomcat - Local File Inclusion Potentially Leads to RCE

By Ax Sharma on March 09, 2020 vulnerabilities

6 minute read time

Ghostcat manipulates the widely used Apache Tomcat web server. No version of Tomcat released in the last 13 years is immune, unless properly patched.
Read More...
amplification and reflection
READ MORE

Nexus Intelligence Insights CVE-2020-2100: Jenkins - UDP Amplification Reflection Attack Leading to Distributed Denial of Service (DDoS)

By Ax Sharma on February 12, 2020 vulnerabilities

6 minute read time

CVE-2020-2100 takes advantage of the fact that, by default, both UDP multicast/broadcast and DNS multicast traffic is enabled on Jenkins. Here's what to do.
Read More...
READ MORE

Nexus Intelligence Insights: Sonatype - 2020-0003 - npm Malicious Package 1337qq-js

By Elisa Velarde on January 15, 2020 vulnerabilities

4 minute read time

In this month's Nexus Intelligence Insights, we cover Sonatype-2020-0003: npm malicious package 1337qq-js. Here's why it made noise but had no impact.
Read More...
GettyImages-157502040
READ MORE

Nexus Intelligence Insights: CVE-2018-5382 Bouncycastle Information Exposure

By Elisa Velarde on December 26, 2019 vulnerabilities

4 minute read time

In this month's Nexus Intelligence Insights, we're covering CVE-2018-5382: Information exposure in the bouncycastle component
Read More...