Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’
We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity are related to malware, dependency confusion PoCs, or just ...annoying SEO spam leveraging these registries. It's not every ... Read More
Open source ML/AI models: attackers’ next target
We are now in an era where AI and ML tools are thriving, with a new AI service popping up every week—from voice cloning apps to those perfecting digitalized art generation. It is worth noting though that many of these complex systems are the result of open source machine learning ... Read More
npm packages spread ‘Bladeroid’ crypto-stealer, hijack your Instagram
Sonatype has identified multiple open source packages named sniperv1, sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called 'Bladeroid.' ... Read More
The curious case of ‘csrf-magic’: A case study in supply chain poisoning
Back in the day, Ivanti disclosed CVE-2021-44529, a critical "code injection" vulnerability in its EPM Cloud Services Appliance (CSA) product ... Read More
Exploited Ivanti Connect SSRF vulnerability traced back to ‘xmltooling’ OSS library
Over the past few weeks, vulnerabilities in proprietary Ivanti products, in particular Ivanti Connect Secure, Policy Secure, and ZTA gateways, have been making headlines for their active exploitation in the wild ... Read More
npm flooded with 748 packages that store movies
Meet npmjs.com, a video and eBook hosting platform — not our words, but it seems that's what goes in the mind of some users (and attackers) recently seen misusing the platform to store media like multi-gig movies, videos, and eBooks ... Read More
Fake ‘distube-config’ npm package drops Windows info-stealing malware
Sonatype has identified two npm packages distube-config and discordyt that typosquat open source packages like Discord modules, in an attempt to infect Windows users with a Trojan. Our security researcher, Juan Aguirre, who analyzed the malware shares some insights ... Read More
‘everything’ matters — why the npm package sparked controversy
The npm package 'everything' sparked some controversy slowly after its publication over the holidays this year ... Read More
Top 10 open source projects hit by HTTP/2 ‘Rapid Reset’ zero-day
Executive summary In this blog post we list at least 10 open source packages affected by the HTTP/2 'Rapid Reset' vulnerability, disclosed by Cloudflare this week ... Read More
npm packages caught exfiltrating Kubernetes config, SSH keys
The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external server ... Read More
