Featured Article

Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

By Ax Sharma on April 16, 2024 vulnerabilities

The Sonatype Security Research team has identified over 15,000 npm packages that flood npm registry in a new trend where devs involved in the blockchain and cryptocurrency communities are leveraging

Read More

SHARE:

Sonatype_Blog_Logo_White
GettyImages-1055709678
READ MORE

In the Dark about Software Supply Chain Vulnerabilities

By Matt Howard on May 16, 2019 vulnerability

2 minute read time

The Barium attacks, revealed earlier this month, highlight new, pervasive tactics that are exceptionally dangerous.
Read More...
GettyImages-992091590-1
READ MORE

Nexus Intelligence Insights: CVE-2019-0232 - Apache Tomcat CGI Servlet Remote Code Execution

By Elisa Velarde on April 26, 2019 vulnerability

3 minute read time

Learn about a very popular component used by developers worldwide. Say hello to CVE-2019-0232, a remote code execution vulnerability.
Read More...
GettyImages-1078726270
READ MORE

Malicious Attacks On Open Source Are Going to Get Worse: Developers Need to Take Notice

By Sonal Thawani on April 19, 2019 vulnerability

2 minute read time

Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities.
Read More...
GettyImages-1043609746
READ MORE

Corrupting the Software Supply Chain: Lessons From the Bootstrap-sass Hack

By Elisa Velarde on April 09, 2019 vulnerability

2 minute read time

The boldness of bad actors is escalating in the world of open source software. From the event-stream / NPM incident in November of 2018, to the recent bootstrap-sass / Ruby Gems hack, bad actors are
Read More...
GettyImages-1030922622
READ MORE

Nexus Intelligence Insights: CVE-2014-3483 - SQL Injection in PostgreSQL adapter for Active Record against 'range' data type

By Elisa Velarde on March 29, 2019 vulnerability

3 minute read time

In this month's Nexus Intelligence Insights we discuss an older component that is used by millions of developers.
Read More...
GettyImages-958939552
READ MORE

Nexus Intelligence Insights: CVE-2014-3603 — Lack of Hostname Verification in OpenSAML

By Ax Sharma on February 26, 2019 vulnerability

3 minute read time

In this month's Nexus Intelligence Insights we discuss an older component, but one that is widely used across a variety of ecosystems, and has a vulnerability.
Read More...
GettyImages-1008096704
READ MORE

Vor Security brings OSS Index to Sonatype

By Brian Fox on June 29, 2017 vulnerability

2 minute read time

Vor Security acquisition, extended language coverage, ossindex.net
Read More...
iStock-175197685.jpg
READ MORE

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

By Brian Fox on March 10, 2017 oss

5 minute read time

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their.
Read More...
READ MORE

Did You Wake Up to an Alert About the Java Deserialization Vulnerability?

By Brian Fox on November 13, 2015 oss

4 minute read time

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their.
Read More...