Featured Article
Introducing our 9th annual State of the Software Supply Chain report
John Deere Dependency Confusion Attempt Flagged by Sonatype
3 minute read time
Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug
Read More...
This Week in Malware—July 15th Edition
1 minute read time
This Week in Malware we identified over 34 npm and PyPI packages that are either dependency confusion candidates, prank packages, contain PoC reverse shell code, or otherwise contain extensive
Read More...
This Week in Malware—Python Cryptominers, 345 Dependency Confusion Packages
16 minute read time
This week's highlights include a PyPI typosquat that drops a cryptominer and AWS credential stealer, along with an influx of 345 dependency confusion packages caught by Sonatype's automated malware
Read More...
This Week in Malware—Killing Windows Defender With an npm Package
3 minute read time
This Week in Malware we discuss a malicious npm package that disables Windows Defender before dropping a trojan, and ongoing dependency confusion findings.
Read More...
npm Package Disables Windows Defender Before Dropping Trojan
4 minute read time
npm package 'flame-vali' makes multiple attempts to disable Windows Defender on the infected system before downloading a cryptominer.
Read More...
Malicious packages caught this week exfiltrate Amazon EC2, Windows SAM credentials, and launch malicious executables.
Read More...
This Week in Malware—Malicious Rust crate, 'colors' Typosquats
6 minute read time
From a malcious Rust typosquat found in the crates[.]io repository to ongoing typosquatting attacks on 'colors' library, the OSS security problem hasn't gone away just yet.
Read More...
Malicious npm 'colors' Typosquats Pack Discord Malware
5 minute read time
Sonatype has caught newer typosquats of the popular 'colors' npm library that contain Discord info-stealing malware.
Read More...
Fixing a Vulnerability? Make Sure Your GitHub Isn't Showing Too Much
5 minute read time
February's $326 million crypto hack at Wormhole and this month's findings by Sonatype shed light on the importance of secrets management for open source developers.
Read More...