Octopus Malware Compromises 26 OSS Projects on GitHub

Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you’ve used, but not the quality of the ingredients themselves. In the realm of… Continue reading Octopus Malware Compromises 26 OSS Projects on GitHub

What Developers Need to Know About WhatsApp’s Recent Security Dilemma

Last week, reports, like this one from Dark Reading, surfaced a remotely exploitable bug found in Facebook’s popular WhatsApp chat app, that spies on users and specifically targeted human rights groups. Facebook patched the flaw last week in… Continue reading What Developers Need to Know About WhatsApp’s Recent Security Dilemma

The Dot Zero Conundrum and the New Frontier of Securing Open Source

Over the past two years, I’ve spoken about more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal p… Continue reading The Dot Zero Conundrum and the New Frontier of Securing Open Source

Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

Over the last several years, we’ve been raising awareness of breaches to popular open source software components and the worrying trend that they are more frequently being attacked at the source – bad actors are growing bolder and the veloci… Continue reading Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream’s back, back again

 
Thought you cleaned up your malicious flatmap-stream code? Check again.
You may have thought you’d read everything there was to read about flatmap-stream and as a result, fixed the offending component once and for all. However, after a deep… Continue reading Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream’s back, back again

Nexus Intelligence Insights: CVE-2019-13354: ‘strong_password’ embedded malicious code, RubyGems

We typically don’t follow one monthly Nexus Intelligence Insights post on the heels of another, but July’s vulnerability is time sensitive so we didn’t want to delay getting the next edition out for everyone to read.
The post Nex… Continue reading Nexus Intelligence Insights: CVE-2019-13354: ‘strong_password’ embedded malicious code, RubyGems