Wicked Good Development: What is Spring4Shell? And Why You Should Care

By Kadi Grigg on April 04, 2022 vulnerabilities

11 minute read time

In a special episode of Wicked Good Development we dissect the zero-day RCE vulnerability in the Spring Framework dubbed Spring4Shell or Springshell.
Read More...

Fixing a vulnerability? Make sure your GitHub isn't showing too much

By Ax Sharma on April 04, 2022 github

5 minute read time

February's $326 million crypto hack at Wormhole and this month's findings by Sonatype shed light on the importance of secrets management for open source developers.
Read More...

This week in malware—a 'fix-crash' info-stealer and 500+ malicious npm packages

By Ax Sharma on April 01, 2022 vulnerabilities

7 minute read time

This week in malware—Dive Deep into this week's findings from Sonatype's automated malware detection system.
Read More...

86 Malicious npm Packages Named After Popular NodeJS Functions

By Ax Sharma on March 28, 2022 vulnerabilities

4 minute read time

Sonatype has now discovered 83 packages on the npm open source repository named after popular NodeJS & JavaScript functions that exfiltrate system information.
Read More...

This week in malware—400+ npm packages target Azure, Uber, Airbnb developers

By Ax Sharma on March 25, 2022 vulnerabilities

12 minute read time

This week in malware—Dive Deep into this week's findings from Sonatype's automated malware detection system.
Read More...

Remember npm library 'colors'? There's no such thing as 'colors-2.0'

By Ax Sharma on March 15, 2022 vulnerabilities

5 minute read time

Alongside the popular 'colors' library on npm come unwanted malicious typosquats called 'colors-2.0', 'colors-3.0, 'colorsss', and so on.
Read More...

Major Government Attack Highlights How Log4j is Still Unresolved

By Luke Mcbride on March 11, 2022 vulnerabilities

4 minute read time

Despite all the attention and effort so far this year, this open source vulnerability found a it’s first major victim in multiple U.S. State governments.
Read More...

Can you spot this cryptic 'reverse shell' lurking in these PyPI packages?

By Ax Sharma on March 11, 2022 vulnerabilities

5 minute read time

Sonatype has discovered 3 malicious PyPI packages this week—two of which hide a reverse shell in plain sight.
Read More...

Careful Out there: Open Source Attacks Continue to be on the Uptick

By Ax Sharma on March 03, 2022 vulnerabilities

7 minute read time

As the world is focused on the Russia-Ukraine crisis and governments urge organizations to step up cyber security efforts, Sonatype is seeing increased malicious activity on OSS repos with over
Read More...