Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

What You Need to Know about the Codecov Incident: A Supply Chain Attack Gone Undetected for 2 Months

By Ax Sharma on April 19, 2021 vulnerabilities
A new software supply chain attack on software testing firm Codecov highlights why developers to take an active role in protecting their systems.
Read More...

Damaging Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt

By Ax Sharma on April 13, 2021 vulnerabilities
New malware exists in a brandjacking npm package called web-browserify that imitates the legitimate browserify component
Read More...

Meet the Developers Behind Sonatype’s Automated Malware Detection System Securing Open Source Supply Chains

By Ax Sharma on April 08, 2021 vulnerabilities
Meet the principal software engineers behind Sonatype's automated malware detection system, Release Integrity.
Read More...

Deep Diving into CVE-2021-22114 Spring-integration-zip Path Traversal

By Juan Aguirre on March 31, 2021 vulnerabilities
We take a deep dive into CVE-2021-22114, which is causing problems for the second time.
Read More...

Netmask Flaw Leaves Millions Vulnerable While a PHP Git Server is Hacked in Software Supply Chain Attack

By Ax Sharma on March 29, 2021 vulnerabilities
2 critical software supply chain attacks were uncovered today. An improper input validation vulnerability in the npm component netmask and an attack on PHP’s Git server.
Read More...

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats

By Ax Sharma on March 03, 2021 vulnerabilities
Both PyPi and npm are being inundated with malicious dependency confusion packages.
Read More...

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties

By Ax Sharma on March 01, 2021 vulnerabilities
Malicious npm dependency confusion packages exfiltrate your bash_history and /etc/shadow files
Read More...

Sonatype Spots 275+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations

By Ax Sharma on February 12, 2021 vulnerabilities
48 hours after a security researcher breached 35+ tech companies in a novel software supply chain attack, Sonatype’s Nexus Intelligence flagged 150+ copycat npm packages published by different
Read More...

Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

By Ax Sharma on February 09, 2021 vulnerabilities
A security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
Read More...