Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

Meet the Developers Behind Sonatype’s Automated Malware Detection System Securing Open Source Supply Chains

By Ax Sharma on April 08, 2021 vulnerabilities
Meet the principal software engineers behind Sonatype's automated malware detection system, Release Integrity.
Read More...

Deep Diving into CVE-2021-22114 Spring-integration-zip Path Traversal

By Juan Aguirre on March 31, 2021 vulnerabilities
We take a deep dive into CVE-2021-22114, which is causing problems for the second time.
Read More...

Netmask Flaw Leaves Millions Vulnerable While a PHP Git Server is Hacked in Software Supply Chain Attack

By Ax Sharma on March 29, 2021 vulnerabilities
2 critical software supply chain attacks were uncovered today. An improper input validation vulnerability in the npm component netmask and an attack on PHP’s Git server.
Read More...

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats

By Ax Sharma on March 03, 2021 vulnerabilities
Both PyPi and npm are being inundated with malicious dependency confusion packages.
Read More...

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties

By Ax Sharma on March 01, 2021 vulnerabilities
Malicious npm dependency confusion packages exfiltrate your bash_history and /etc/shadow files
Read More...

Sonatype Spots 275+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations

By Ax Sharma on February 12, 2021 vulnerabilities
48 hours after a security researcher breached 35+ tech companies in a novel software supply chain attack, Sonatype’s Nexus Intelligence flagged 150+ copycat npm packages published by different
Read More...

Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

By Ax Sharma on February 09, 2021 vulnerabilities
A security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
Read More...

CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains

Sonatype has determined those behind the CursedGrabber Discord malware family, have published a new malware campaign against software supply chains
Read More...

Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community

Sonatype removed 3 malicious open-source Java components from Maven Central targeting popular software releases, stopping a software supply chain attack.
Read More...