Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
READ MORE

This Week in Malware — npm malware exfiltrates Windows SAM, Amazon EC2 credentials

By Ax Sharma on June 10, 2022 vulnerabilities

4 minute read time

Malicious packages caught this week exfiltrate Amazon EC2, Windows SAM credentials, and launch malicious executables.
Read More...
READ MORE

This Week in Malware — Malicious Rust crate, 'colors' typosquats

By Ax Sharma on May 14, 2022 vulnerabilities

5 minute read time

From a malcious Rust typosquat found in the crates[.
Read More...
READ MORE

Malicious npm 'colors' typosquats pack Discord malware

By Ax Sharma on May 03, 2022 vulnerabilities

5 minute read time

Sonatype has caught newer typosquats of the popular 'colors' npm library that contain Discord info-stealing malware.
Read More...
READ MORE

Fixing a vulnerability? Make sure your GitHub isn't showing too much

By Ax Sharma on April 04, 2022 github

5 minute read time

February's $326 million crypto hack at Wormhole and this month's findings by Sonatype shed light on the importance of secrets management for open source.
Read More...
READ MORE

This Week in Malware — A 'fix-crash' info-stealer and 500+ malicious npm packages

By Ax Sharma on April 01, 2022 vulnerabilities

6 minute read time

This week in malware—Dive Deep into this week's findings from Sonatype's automated malware detection system.
Read More...
READ MORE

86 malicious npm packages named after popular NodeJS functions

By Ax Sharma on March 28, 2022 vulnerabilities

3 minute read time

Sonatype has now discovered 83 packages on the npm open source repository named after popular NodeJS & JavaScript functions that exfiltrate system information.
Read More...
READ MORE

Remember npm library 'colors'? There's no such thing as 'colors-2.0'

By Ax Sharma on March 15, 2022 vulnerabilities

5 minute read time

Alongside the popular 'colors' library on npm come unwanted malicious typosquats called 'colors-2.0', 'colors-3.0, 'colorsss', and so on.
Read More...
Image of a kitten turning it's nose up at a smelly fish
READ MORE

What's in your jQuery app? Not the fishy 'jquery-lh' we hope!

By Ax Sharma on February 17, 2022 vulnerabilities

3 minute read time

The mysterious 'jquery-lh' npm package installs real jQuery code while doing something fishy behind the scenes.
Read More...
gamer sitting at a computer with headphones on
READ MORE

PyPI, NuGet, npm flooded with Roblox and Fortnite spam: What draws OSS attackers to gamers?

By Ax Sharma on February 15, 2022 vulnerabilities

7 minute read time

Spammers flood PyPI, NuGet and npm with bogus Roblox and Fortnite spam, as open source attacks leveraging gaming platforms continue to increase.
Read More...