The 2020 State of the Software Supply Chain Report is available!

Study Shows High-Performance Dev Teams Fix OSS Vulns 26x Faster | Press Release

blog-logo Sonatype Blog

Inside the “fallguys” malware that steals your browsing data and gaming IMs; Continued attack on open source software

By Akshay 'Ax' Sharma on September 02, 2020 vulnerabilities
This weekend a malicious component called “fallguys” was discovered on npm impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was
Read More...

From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

By Akshay 'Ax' Sharma on August 19, 2020 vulnerabilities
August's Nexus Intelligence Insight looks at the NodeJS component express-fileupload which now has a critical Prototype Pollution vulnerability.
Read More...

CVE-2020-17479: The return of Validation Bypass (CVE-2019-19507) in `jpv`

While updating our data for CVE-2020-17479 in JPV, an open-source JSON schema validator, we discovered that the vulnerability could still be exploited with the existing fix in place, creating
Read More...

Nexus Intelligence Insights:CVE-2020-13935 - Apache Tomcat Websocket - Denial of Service (DoS)

By Akshay 'Ax' Sharma on July 29, 2020 vulnerabilities
July’s Nexus Intelligence Insight takes a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component.
Read More...

Find and Fix Vulnerabilities in Seconds using GitHub PR Reviews with Line Comments

By Kevin Miller on July 07, 2020 github
Pull Request line comments highlight code that introduces a policy violation. This gives developers the information needed to remediate security risks.
Read More...

UPDATE: 21 SaltStack Breaches with 2,900 Still Vulnerable

By Derek Weeks on May 31, 2020 vulnerabilities
When a vulnerability is announced in an open source project, ask immediately: have we ever used that open source component, and (if yes) where is it?
Read More...

Department of Homeland Security Cybersecurity: Top 10 Vulnerabilities Still Being Exploited

By April Downey on May 28, 2020 vulnerabilities
DHS CISA lists Apache Struts as a top vulnerability. Yet, evidence shows it is still being downloaded - on average, by 10,000 organizations a month.
Read More...

The OWASP ZAP HUD

By Omkar Hiremath on May 26, 2020 vulnerabilities
ZAP is an open-source web application scanner and OWASP flagship project. Use ZAP to find vulnerabilities. Security expert Simon Bennetts demonstrates.
Read More...

Nexus Intelligence Insights: xlsx aka SheetJS - Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

By Akshay 'Ax' Sharma on May 06, 2020 vulnerabilities
The ReDoS vulnerability impacting the popular npm component SheetJS, also known as “xlsx,” was thought to be remedied through a fix, but no, not so fast.
Read More...