PyPI package 'ctx' and PHP library 'phpass' compromised to steal environment variables

By Ax Sharma on May 24, 2022 vulnerabilities

5 minute read time

Popular Python package 'ctx' that is downloaded over 22,000 times weekly on PyPI registry has been compromised and now steals environment variables. Additionally, a forked PHP project 'phpass' also
Read More...

New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux

By Ax Sharma on May 20, 2022 vulnerabilities

5 minute read time

The 'pymafka' PyPI package is filled with trojans targeting Windows, macOS & Linux users and appears to typosquat the popular PyKafka, a programmer-friendly Apache Kafka client for Python.
Read More...

This Week in Malware—Malicious Rust crate, 'colors' typosquats

By Ax Sharma on May 14, 2022 vulnerabilities

6 minute read time

From a malcious Rust typosquat found in the crates[.]io repository to ongoing typosquatting attacks on 'colors' library, the OSS security problem hasn't gone away just yet.
Read More...

A Clear Path Forward Toward More Secure and Maintainable Open Source Software

By Brian Fox on May 13, 2022 featured

7 minute read time

Sonatype CTO shares thoughts following conversations, led by OpenSSF, where industry and government came together to discuss securing open source software.
Read More...

Take Control of Your InnerSource Components with InnerSource Insight

By Chris Good on May 11, 2022 Nexus Lifecycle

7 minute read time

InnerSource Insight, an industry-first capability, makes it easier and safer for developers to use components developed by others in their organization.
Read More...

This Week in Malware—Apache Kafka typosquats, shorthand data exfiltration

By Ax Sharma on May 06, 2022 vulnerabilities

4 minute read time

This Week In Malware—May 6th edition: Apache Kafka typosquat, and a simple distraction technique.
Read More...

npm package downloads another package while exfiltrating your IP address and username

By Ax Sharma on May 06, 2022 vulnerabilities

5 minute read time

On any given day we analyze hundreds of suspicious npm and PyPI packages, but this one stood out to us. An npm package that downloads another empty npm package?
Read More...

Malicious npm 'colors' typosquats pack Discord malware

By Ax Sharma on May 03, 2022 vulnerabilities

5 minute read time

Sonatype has caught newer typosquats of the popular 'colors' npm library that contain Discord info-stealing malware.
Read More...

This Week in Malware—npm backdoors, bugs, 'mystery placeholders'

By Ax Sharma on April 29, 2022 vulnerabilities

6 minute read time

This Week in Malware we discuss malicious packages with backdoors and hidden Discord stealers, a serious npm bug that allowed for maintainer tampering, and hundreds of 'mystery placeholders' we are
Read More...
Content not found