'Netfetcher' package drops illicit 'node' binary on Windows

‘Netfetcher’ package drops illicit ‘node’ binary on Windows

Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of these executables are called "node.exe" and even bear the NodeJS icon and metadata, making them evasive and easily ... Read More
Crypto enthusiasts flood npm with more than 281,000 bogus packages overnight

Crypto enthusiasts flood npm with more than 281,000 bogus packages overnight

Crypto enthusiasts have lately been flooding software registries like npm and PyPI with thousands of bogus packages that add no functional value and instead put a strain on the entire open source ecosystem. A single instance, recorded by Sonatype in July 2024, saw 281,512 distinct packages appearing on the npmjs.com ... Read More
Ideal typosquat 'solana-py' steals your crypto wallet keys

Ideal typosquat ‘solana-py’ steals your crypto wallet keys

The legitimate Solana Python API project is known as "solana-py" on GitHub, but simply "solana" on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor who published a "solana-py" project on PyPI which, in addition to borrowing real code from the legitimate project, ... Read More
Npm packages conceal macOS malware in 'travis.yml' files, drop bogus  "Safari Updates"

Npm packages conceal macOS malware in ‘travis.yml’ files, drop bogus  “Safari Updates”

Three npm packages identified by Sonatype this week conceal malware in "travis.yml," a CI/CD build configuration file used by Travis CI. These packages contain metadata, description, and code copied from the legitimate "cli-width" package but instead deploy malicious macOS binary, disguised as "Safari updates." ... Read More
Polyfill.io supply chain attack hits 100,000+ websites — all you need to know

Polyfill.io supply chain attack hits 100,000+ websites — all you need to know

In a significant supply chain attack, over 100,000 websites using Polyfill[.]io, a popular JavaScript CDN service, were compromised ... Read More
Exploit creator selling 250+ reserved npm packages on Telegram

Exploit creator selling 250+ reserved npm packages on Telegram

Recently, the Sonatype Security Research team identified more than 250 npm packages which are lucrative and convincing exploits, because these are named exactly like the open source projects coming from Amazon Web Services (AWS), Microsoft, React, CKEditor, among other popular names ... Read More
'cors-parser' npm package hides cross-platform backdoor in PNG files

‘cors-parser’ npm package hides cross-platform backdoor in PNG files

'cors-parser' is neither a cure for Cross-Origin Resource Sharing (CORS) vulnerabilities nor a "parser" for interpreting same-origin policies of a website. Instead, the npm package employs a form of steganography to download what may appear to be PNG images at first. These "images," however, contain encoded instructions to drop malware ... Read More
Russia-linked 'Lumma' crypto stealer now targets Python devs

Russia-linked ‘Lumma’ crypto stealer now targets Python devs

Imagine being a developer who's building the next-gen crypto app by using popular open source components to speed up coding. Instead, you end up including a package in your build that, does accomplish what you are trying to, but additionally steals cryptocurrency on any system that it's installed on. That's ... Read More
PyPI crypto-stealer targets Windows users, revives malware campaign

PyPI crypto-stealer targets Windows users, revives malware campaign

Sonatype has discovered 'pytoileur', a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long "Cool package" campaign ... Read More
Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’

We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity are related to malware, dependency confusion PoCs, or just ...annoying SEO spam leveraging these registries. It's not every ... Read More

Application Security Check Up