New Year, New CVE: a Deep Dive into the ‘node-forge’ (CVE-2022-0122)
With over 16 Million weekly downloads, the important and widely-used "node-forge" component on npm implements key security functions, including Transport Layer Security protocol, cryptographic functions, and development tools for web apps in native JavaScript ... Read More
Tracking the ‘Noblox.js’ npm Malware Campaign
A new malicious package, noblox.js-rpc was spotted on the npm registry this month that leverages the same techniques we saw before to steal all sorts of sensitive data like credentials, files, and even the windows registration key and finally install ransomware. The package is being tracked under the identifier, sonatype-2021-1526 ... Read More
NPM Hijackers at it Again: Popular ‘coa’ and ‘rc’ Open Source Libraries Taken Over to Spread Malware
Just last week we saw the popular npm package `ua-parser-js` get hijacked. Malicious actors gained access to the project maintainer’s npm account and published malicious versions that attempted to install a cryptominer on the compromised system and download a malicious DLL in charge of stealing credentials. ... Read More
Fake npm Roblox API package installs ransomware and has a spooky surprise
The world was just coming to terms with the "ua-parser-js" npm library hijacking incident, and Sonatype's discovery of crypto-mining malware from last week, when we found a bigger, and spookier, issue just in time for Halloween ... Read More
From Feature to Vulnerability: a spring-security-oauth2-client Story
Spring Security provides security services for the Spring IO Platform, available on their Github repository. Today we focus on the “oauth2” client, which provides an application with the capability to have users log in using their existing account at an OAuth 2.0 Provider, i.e Github and Google, among others ... Read More
Deep Diving into CVE-2021-22114 Spring-integration-zip Path Traversal
Guess who's back? Earlier this month, CVE-2021-22114 in spring-integration-zip, returned for the second time to cause havoc ... Read More
Symbolic Execution for Mortals
In this article, we intend to explain an approach to symbolic execution, which is very useful when dealing with software assessment ... Read More
Another Proud Son of JSON
Here we introduce JSON Web Token, a simple, quick way to send secure, digitally signed data from one part to another via URL using a base64 algorithm to encode ... Read More
Conserving Your Identity
In this article, we present a secure way to exchange information between different web services using the realms of the Web Service Federation (WSF) ... Read More
