Sonatype dévoile sa solution complète de gestion de la chaîne logistique logicielle | Communiqué de presse

Informations Nexus Intelligence

Essayer maintenant  

Deep dive into Sonatype Security Research

See incredible research performed (24x7x365) by our team.  Learn how open source exploits work.  Get expert guidance on how to remediate risk.

Image of a raining cloud representing the Cloudflare critical vulnerability

This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites

Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.

Lire la suite
Image of a Python representing a PyPi Cryptomining Malware attack

Sonatype Catches New PyPI Cryptomining Malware

Sonatype has identified malicious typosquatting packages infiltrating the PyPI repository that secretly pull in cryptominers on the affected machines.

Lire la suite
8 Malicious Packages Found in npm

Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm

I get asked often what Sonatype's automated malware detection system, Release Integrity, has found so far. Great question!

Lire la suite
Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt

Damaging Linux & Mac Malware Bundled within Browserify npm Brandjack Attempt

Over the weekend, Sonatype spotted a rather unique malware sample published to the npm registry, within a day of its release on npm.

Lire la suite
CVE-2021-22114 Spring-integration-zip

Deep Diving into CVE-2021-22114 Spring-integration-zip Path Traversal

Guess who's back? Earlier this month, CVE-2021-22114 in spring-integration-zip, returned for the second time to cause havoc.

Lire la suite
PHP and netmask software supply chain attacks

Netmask Flaw Leaves Millions Vulnerable While a PHP Git Server is Hacked in Software Supply Chain Attack

We’ve seen so many software supply chain attacks in recent weeks that it’s hard for us to talk about all of them. But, in the last 24 hours, we’ve seen two major issues that are important for

Lire la suite
PyPI and npm see flood of dependency Confusion Copycats

PyPI and npm Flooded with over 5,000 Dependency Confusion Copycats

This week, a vigilante actor flooded PyPI and npm repositories with nearly 5,000 dependency confusion packages.

Lire la suite
new dependency confusion packages published to the npm ecosystem are malicious in nature.

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.

Lire la suite
Sonatype Spots Malicious npm Packages Copying Novel Software Supply Chain Attack

Sonatype Spots 275+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations

Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious

Lire la suite
Dependency Hijacking Software Supply Chain Attack

Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

Today, news broke that a security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.

Lire la suite

CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains

On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we  previously warned about.

Lire la suite
software supply chain attack on Java developer community thwarted

Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community

On January 7th, Sonatype became aware of 3 malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020. 

Lire la suite

2 New RubyGems laced with cryptocurrency stealing malware taken down

This month, RubyGems removed 2 gems from its open source software repository that contained malicious code. These gems, tracked as sonatype-2020-1222 by us, are:

Lire la suite