Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

This Week in Malware - 135 packages target npm and PyPI registries

By Aaron Linskens on September 30, 2022 vulnerabilities

3 minute read time

This week in malware, we discovered and analyzed 135 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.

Read More...

Despite what some vendors say, please don't ignore Log4j

By Stephen Magill on September 26, 2022 vulnerabilities

5 minute read time

Ignoring Log4j and recommending that high-risk open source vulnerabilities be left in application code isn't just irresponsible, it's dangerous.

Read More...

This Week in Malware - Over five dozen more packages discovered

By Aaron Linskens on September 23, 2022 vulnerabilities

2 minute read time

This week in malware we discovered and analyzed over five dozen packages flagged as malicious, suspicious, or dependency confusion attacks.

Read More...

This Week in Malware - Almost 100 packages

By Aaron Linskens on September 16, 2022 vulnerabilities

2 minute read time

This week in malware Sonatype discovered and analyzed over seven dozen packages flagged as malicious, suspicious, or dependency confusion attacks.

Read More...

Rule over your dependencies and scan at your own open source risk

By Aaron Linskens on September 13, 2022 vulnerabilities

5 minute read time

A good way to make sure that your organization's vulnerabilities don't go unnoticed is conducting regular scans of open source used in your environments.

Read More...

This Week in Malware—Ongoing Dependency Confusion

By Ax Sharma on September 09, 2022 vulnerabilities

4 minute read time

This week in malware, Sonatype's automated malware detection systems have spotted over four dozen dependency confusion candidates.

Read More...

This Week in Malware - A PyPI phishing follow-up plus 120 packages

By Aaron Linskens on September 02, 2022 vulnerabilities

4 minute read time

This week Sonatype discovered and analyzed 120 packages flagged as malicious, suspicious, or dependency confusion attacks.

Read More...

This Week in Malware - 450 packages and a phishing campaign against PyPI maintainers

By Aaron Linskens on August 26, 2022 vulnerabilities

6 minute read time

This week Sonatype discovered and analyzed 450 packages flagged as malicious, suspicious, or dependency confusion attacks.

Read More...

This Week in Malware — Cryptominers flood npm, PyPI, and more dependency confusion

By Hernán Ortiz on August 19, 2022 vulnerabilities

2 minute read time

This week Sonatype discovered 200+ npm and PyPI packages that are cryptominers, with additional packages comprising dependency confusion PoCs.

Read More...

Previous Next

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

This Week in Malware - 135 packages target npm and PyPI registries

Despite what some vendors say, please don't ignore Log4j

This Week in Malware - Over five dozen more packages discovered

This Week in Malware - Almost 100 packages

Rule over your dependencies and scan at your own open source risk

This Week in Malware—Ongoing Dependency Confusion

This Week in Malware - A PyPI phishing follow-up plus 120 packages

This Week in Malware - 450 packages and a phishing campaign against PyPI maintainers

This Week in Malware — Cryptominers flood npm, PyPI, and more dependency confusion

Secure your software supply chain

Subscribe for all the latest software security news and events