See incredible research performed (24x7x365) by our team. Learn how open source exploits work. Get expert guidance on how to remediate risk.
This week Apache disclosed 3 vulnerabilities impacting Log4j 1.x versions.
In what can only be described as one of the most bizarre events in the history of open source, we find that the massively popular open source libraries, colors.js, and faker.js were sabotaged by
Update 26-Jan-2022: One of the 'Intel-Corp' repos was also hijacked in the same attack described below [1, 2].
We can’t end this year without talking about open source package hijacks one more time.
Yesterday, Apache released Log4j version 2.17.1, which squashes a newly discovered code execution bug, tracked as CVE-2021-44832. Our Log4j vulnerability resource center has since been updated to
As the log4j vulnerability disclosures come out, and ongoing exploitation in the wild is on, we have been closely monitoring developments and tracking the gap between the disclosures and how fast the
On Friday, the news broke about Log4Shell, an easy-to-exploit vulnerability being exploited across the world. We have kept our blog up to date with the latest news, mitigations and strategies that
News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j - CVE-2021-44228- the most popular java logging framework used by Java software far and wide. This type of
A new malicious package, noblox.js-rpc was spotted on the npm registry this month that leverages the same techniques we saw before to steal all sorts of sensitive data like credentials, files, and
Just last week we saw the popular npm package `ua-parser-js` get hijacked. Malicious actors gained access to the project maintainer’s npm account and published malicious versions that attempted to
The world was just coming to terms with the “ua-parser-js” npm library hijacking incident, and Sonatype’s discovery of crypto-mining malware from last week, when we found a bigger, and spookier,
Last week, Sonatype reported our discovery of three malicious npm cryptomining packages on npm: klow, klown, and okhsa. These packages, which infiltrated the npm registry between October 12th and
Sonatype’s automated malware detection system has caught multiple malicious packages on the npm registry this month. These packages disguise themselves as legitimate JavaScript libraries but were
Spring Security provides security services for the Spring IO Platform, available on their Github repository. Today we focus on the “oauth2” client, which provides an application with the capability
Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102
Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia
London Office -168 Shoreditch High Street, E1 6HU London
Copyright © 2008–heute, Sonatype Inc. Alle Rechte vorbehalten. Schließt hier aufgeführten Drittanbietercode ein. Sonatype und Sonatype Nexus sind Warenzeichen von Sonatype, Inc. Apache Maven und Maven sind Warenzeichen der Apache Software Foundation. M2Eclipse ist ein Warenzeichen der Eclipse Foundation. Alle anderen Warenzeichen sind Eigentum der jeweiligen Inhaber.
Nutzungsbedingungen Datenschutzrichtlinie Erklärung zu moderner Sklaverei Event Terms and Conditions Do Not Sell My Personal Information