PATH:/resources/nexus-intelligence-insights QUERY: DOMAIN:www.sonatype.com
We can’t end this year without talking about open source package hijacks one more time.
Approx reading time: 6 mins
As the log4j vulnerability disclosures come out, and ongoing exploitation in the wild is on, we have been closely monitoring developments and tracking the gap between the disclosures and how fast
On Friday, the news broke about Log4Shell, an easy-to-exploit vulnerability being exploited across the world. We have kept our blog from Friday up to date with the latest news, mitigations and
News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j - CVE-2021-44228- the most popular java logging framework used by Java software far and wide. This type of
A new malicious package, noblox.js-rpc was spotted on the npm registry this month that leverages the same techniques we saw before to steal all sorts of sensitive data like credentials, files, and
Just last week we saw the popular npm package `ua-parser-js` get hijacked. Malicious actors gained access to the project maintainer’s npm account and published malicious versions that attempted to
The world was just coming to terms with the “ua-parser-js” npm library hijacking incident, and Sonatype’s discovery of crypto-mining malware from last week, when we found a bigger, and spookier,
Last week, Sonatype reported our discovery of three malicious npm cryptomining packages on npm: klow, klown, and okhsa. These packages, which infiltrated the npm registry between October 12th and
Update: Following our disclosure of these malicious packages, the legitimate library "ua-parser-js" used by millions was itself was found to be compromised. We have released a subsequent blog post
Spring Security provides security services for the Spring IO Platform, available on their Github repository. Today we focus on the “oauth2” client, which provides an application with the
Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.
