New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ... Read More
Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module
This month, we analyzed a malicious PyPI package called ‘VMConnect,’ which has been designed to strongly resemble the legitimate VMware vSphere connector module, ‘vConnector’, except it hides sinister code within ... Read More
“Quoi…? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer
We’ve got a rather interesting malicious finding this month to talk about, the one that mixes a meme with malware ... Read More
npm Manifest Confusion – What Is It and Do You Really Need to Worry About It?
Yesterday, Darcy Clarke, a software developer and a former npm CLI team Engineering Manager, steered everyone’s attention towards a gap in the npm registry website – what he calls “manifest confusion.” ... Read More
PyPI Attackers Still At It: Malicious Packages Drop Trojans and Info-stealers
This month, Sonatype’s automated malicious open source and malware detection systems flagged hundreds of malicious packages, 10 of which we have analyzed in this blog post ... Read More
Attacker floods PyPI with 450+ malicious packages that drop Windows trojan via Dropbox
Sonatype has been tracking an open source malware campaign developing over the weekend in which a threat actor is infiltrating the PyPI software registry with hundreds of malicious packages. These packages are being rapidly removed by the PyPI admins as they come up, but the behavior continues well into today ... Read More
Best of 2022: npm Libraries ‘colors’ and ‘faker’ Sabotaged in Protest by Their Maintainer—What to do Now?
In what can only be described as one of the most bizarre events in the history of open source, we find that the massively popular open source libraries, colors.js, and faker.js were sabotaged by their very own maintainer, as I first reported on over the weekend ... Read More
This Week in Malware—Ongoing Dependency Confusion
This week in malware, Sonatype's automated malware detection systems have flagged over four dozen packages on both the npm and PyPI registries. Most of these packages are dependency confusion candidates published as proof-of-concept (PoC) exercises by security enthusiasts and bug bounty hunters ... Read More