Sonatype finds malicious npm packages which broadcast your IP, username, and device fingerprint info on the web

Sonatype researchers discovered and confirmed the presence of two new vulnerable npm packages. Sonatype’s discovery was initially made by its malicious code detection bots. By applying machine learning and artificial intelligence to identify suspicious code commits, update signals, and developer patterns, the bots are continuously assessing changes across millions of ... Read More

Inside the “fallguys” malware that steals your browsing data and gaming IMs; Continued attack on open source software

This weekend a report emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a user’s machine ... Read More

From Prototype Pollution to full-on remote code execution, how can adversaries exploit npm modules?

The NodeJS component express-fileupload - touting 7 million downloads from the npm registry -  now has a critical Prototype Pollution vulnerability ... Read More

Nexus Intelligence Insights:CVE-2020-13935 – Apache Tomcat Websocket – Denial of Service (DoS)

For July’s Nexus Intelligence Insight we take a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component ... Read More

Nexus Intelligence Insights: xlsx aka SheetJS – Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

For this month’s Nexus Intelligence Insights, we explore an interesting case of ReDoS vulnerability impacting the popular npm component, SheetJS, also known as “xlsx”. It may pique your interest to learn that this vulnerability was previously thought to be remedied through a fix. Adam Cazzolla of Sonatype Security Research later ... Read More

Nexus Intelligence Insights: Protect Your Bitcoins from 700+ Malicious RubyGems with sonatype-2020-0196

Last week news broke about how 700 typosquatting libraries had made their way into the famous RubyGems repository. The complete list, first published by Reversing Labs, reveals how crafty attackers can take advantage of the open source software supply chain by relying on human typographical errors, to which not even ... Read More

Nexus Intelligence Insights: CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE)

Spring, a widely used component, makes programming multiple things in Java easier, faster, and safer. The project’s focus on speed, simplicity, and productivity has made it one of the world's most popular Java frameworks. Spring’s multifaceted use cases include building microservices, cloud apps, and event driven systems. Spring is the ... Read More

Nexus Intelligence Insights: What’s in a Ghostcat? CVE-2020-1938 Apache Tomcat – Local File Inclusion Potentially Leads to RCE

For this month’s Nexus Intelligence Insights, let’s dive deep into the popular Ghostcat vulnerability making headlines recently. This vulnerability deserves attention as it impacts the widely used Apache Tomcat web server, has at least 5 exploits publicly available on GitHub and ExploitDB, and has a rather simple, yet overlooked, root ... Read More

What Does the New CVSS 3.1 Scoring Model Mean for Enterprise Security?

With thousands of security vulnerabilities reported each month in products ranging from hardware devices to firmware to popular software apps, how does one prioritise what needs the most attention? From a business and project management perspective, it makes sense to, first and foremost, allocate engineering and/or risk assessment resources to ... Read More

Nexus Intelligence Insights CVE-2020-2100: Jenkins – UDP Amplification Reflection Attack Leading to Distributed Denial of Service (DDoS)

In the wake of the serious Jenkins vulnerability impacting at least 12,000 Jenkins servers, we dedicate February’s Nexus Intelligence Insights to helping you solve it. This vulnerability is clever; it opens up two potential lines of attack. One is through amplification and reflection; the other kickstarts an infinity loop. Both ... Read More