Sonatype présente la gestion des dépendances nouvelle génération | Communiqué de presse

Informations Nexus Intelligence

Essayer maintenant  

Deep dive into Sonatype Security Research

See incredible research performed (24x7x365) by our team.  Learn how open source exploits work.  Get expert guidance on how to remediate risk.

new dependency confusion packages published to the npm ecosystem are malicious in nature.

Newly Identified Dependency Confusion Packages Target Amazon, Zillow, and Slack; Go Beyond Just Bug Bounties

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.

Lire la suite
Sonatype Spots Malicious npm Packages Copying Novel Software Supply Chain Attack

Sonatype Spots 275+ Malicious npm Packages Copying Recent Software Supply Chain Attacks that Hit 35 Organizations

Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious

Lire la suite
Dependency Hijacking Software Supply Chain Attack

Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations

Today, news broke that a security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.

Lire la suite

CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains

On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we  previously warned about.

Lire la suite
software supply chain attack on Java developer community thwarted

Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community

On January 7th, Sonatype became aware of 3 malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020. 

Lire la suite

2 New RubyGems laced with cryptocurrency stealing malware taken down

This month, RubyGems removed 2 gems from its open source software repository that contained malicious code. These gems, tracked as sonatype-2020-1222 by us, are:

Lire la suite
 Malicious typosquatting open source packages in npm are laced with a popular Remote Access Trojan (RAT).

There’s a RAT in my code: new npm malware with Bladabindi trojan spotted

Over the Thanksgiving weekend, Sonatype discovered new malware within the npm registry. This time, the typosquatting packages identified by us are laced with a popular Remote Access Trojan (RAT).

Lire la suite

Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware

Lire la suite

Discord.dll: successor to npm “fallguys” malware went undetected for 5 months

This week, the Sonatype Security Research team has identified a series of counterfeit components in the npm ecosystem. These intentionally malicious packages seem to be doing similar, shady things

Lire la suite

Gitpaste-12: A dozen exploits that silently lived on GitHub, attacked Linux servers

Just months after Octopus Scanner was caught infecting 26 open-source projects on GitHub, new reports have already surfaced of another, new sophisticated malware infection. Gitpaste-12, a worming

Lire la suite

Trick or treat: that `twilio-npm` package is brandjacking malware in disguise!

As if the increasing attacks on the open source ecosystem and vulnerabilities making headlines weren’t scary enough events, this Halloween devs were exposed to another malicious trick

Lire la suite

Discord squashes critical Electron bugs: open source attacks continue to grow

My colleague has two kids, ages 9 and 12.  Since the COVID lockdowns they have been playing more online games and each of them use Discord to chat with their friends during gameplay.  Did my

Lire la suite

Sonatype finds malicious npm packages which broadcast your IP, username, and device fingerprint info on the web

Sonatype researchers discovered and confirmed the presence of two new vulnerable npm packages. Sonatype’s discovery was initially made by its malicious code detection bots. By applying machine

Lire la suite