PATH:/resources/nexus-intelligence-insights QUERY: DOMAIN:www.sonatype.com
Spring Security provides security services for the Spring IO Platform, available on their Github repository. Today we focus on the “oauth2” client, which provides an application with the
Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.
Sonatype has identified malicious typosquatting packages infiltrating the PyPI repository that secretly pull in cryptominers on the affected machines.
I get asked often what Sonatype's automated malware detection system, Release Integrity, has found so far. Great question!
Over the weekend, Sonatype spotted a rather unique malware sample published to the npm registry, within a day of its release on npm.
Guess who's back? Earlier this month, CVE-2021-22114 in spring-integration-zip, returned for the second time to cause havoc.
We’ve seen so many software supply chain attacks in recent weeks that it’s hard for us to talk about all of them. But, in the last 24 hours, we’ve seen two major issues that are important for
This week, a vigilante actor flooded PyPI and npm repositories with nearly 5,000 dependency confusion packages.
Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature.
Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious
Today, news broke that a security researcher managed to breach systems of over 35 tech companies in what has been described as a novel software supply chain attack.
On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we previously warned about.
