Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
READ MORE

This Week in Malware - 450 packages and a phishing campaign against PyPI maintainers

By Aaron Linskens on August 26, 2022 vulnerabilities

6 minute read time

This week Sonatype discovered and analyzed 450 packages flagged as malicious, suspicious, or dependency confusion attacks.
Read More...
Image of bugs on a screen
READ MORE

This Week in Malware — Cryptominers flood npm, PyPI, and more dependency confusion

By Hernán Ortiz on August 19, 2022 vulnerabilities

2 minute read time

This week Sonatype discovered 200+ npm and PyPI packages that are cryptominers, with additional packages comprising dependency confusion PoCs.
Read More...
image with a computer on a persons head displaying skull and crossbones
READ MORE

This Week in Malware - Fileless Linux cryptominer, 100 packages

By Aaron Linskens on August 12, 2022 vulnerabilities

6 minute read time

This week Sonatype discovered more than 100 open source packages that were malicious, suspicious, or dependency confusion attacks.
Read More...
Two chains linked by a shoelace creating a vulnerable system
READ MORE

This Week in Malware — Typosquats in PyPI, dependency confusion packages

By Hernán Ortiz on August 04, 2022 vulnerabilities

2 minute read time

This Week in Malware we discovered 50 packages that are either malicious or dependency confusion attacks.
Read More...
READ MORE

This Week in Malware — John Deere dependency confusion attempt and more

By Ax Sharma on July 22, 2022 vulnerabilities

2 minute read time

We discovered and analyzed 17 packages, at least a dozen of which were dependency confusion PoCs directly targeting the agricultural equipment giant John Deere.
Read More...
READ MORE

This Week in Malware — July 15th edition

By Ax Sharma on July 15, 2022 vulnerabilities

2 minute read time

This Week in Malware we identified over 34 npm and PyPI packages that are either dependency confusion candidates, prank packages, contain PoC reverse shell.
Read More...
READ MORE

This Week in Malware — Python packages peek into your Telegram, set up Windows RDP access

By Ax Sharma on July 08, 2022 vulnerabilities

3 minute read time

This Week in Malware we discovered and analyzed multiple malicious PyPI packages that either set up new Remote Desktop user accounts on your Windows computer.
Read More...
READ MORE

This Week in Malware — Python cryptominers, 345 dependency confusion packages

By Ax Sharma on July 01, 2022 vulnerabilities

16 minute read time

This week's highlights include a PyPI typosquat that drops a cryptominer and AWS credential stealer, along with an influx of 345 dependency confusion packages.
Read More...
READ MORE

This Week in Malware — Show me your secrets!

By Ax Sharma on June 24, 2022 vulnerabilities

2 minute read time

These Python packages not only exfiltrate your secrets—AWS credentials and environment variables but rather upload these to a publicly exposed endpoint.
Read More...