Collaborate Disseminate
Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.
The post This npm Package Could Have Brought Down Cloudfl… Continue reading This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites
Sonatype has identified malicious typosquatting packages infiltrating the PyPI repository that secretly pull in cryptominers on the affected machines.
The post Sonatype Catches New PyPI Cryptomining Malware appeared first on Security Boulevard.
Continue reading Sonatype Catches New PyPI Cryptomining Malware
I get asked often what Sonatype’s automated malware detection system, Release Integrity, has found so far. Great question!
The post Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm appeared first on Security Boulevard.
Continue reading Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm
Over the weekend, Sonatype spotted a rather unique malware sample published to the npm registry, within a day of its release on npm.
The post Damaging Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt appeared first on Securi… Continue reading Damaging Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt
We’ve seeing so many software supply chain attacks in recent weeks that it’s hard for us to talk about all of them. But, in the last 24 hours, we’ve seen two major issues that are important for everyone to take notice of:
The post Netmask Flaw Lea… Continue reading Netmask Flaw Leaves Millions Vulnerable While a PHP Git Server is Hacked in Software Supply Chain Attack
Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.
The post Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties appeared… Continue reading Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties
Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious proof-of-concept (PoC) code to internal development builds of ov… Continue reading Sonatype Spots 150+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations
Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious proof-of-concept (PoC) code to internal development builds of ov… Continue reading Sonatype Spots 150+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations
Today, news broke that a security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
The post Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organ… Continue reading Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations
On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we previously warned about.
The post CursedGrabber strikes again: Sonatype spots new malware c… Continue reading CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains