Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices
Sonatype’s automated malware detection system has caught multiple malicious packages on the npm registry this month. These packages disguise themselves as legitimate JavaScript libraries but were caught launching cryptominers on Windows, macOS and Linux machines ... Read More
CursedGrabber strikes again: Sonatype spots new malware campaign against Software Supply Chains
On January 16th, Sonatype became aware of 3 malicious packages that were published to npm, and leveraged brandjacking and typosquatting techniques that we previously warned about ... Read More
Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community
On January 7th, Sonatype became aware of 3 malicious brandjacking components which were published to the Maven Central Repository in the last week of 2020. ... Read More
CVE-2020-17479: The return of Validation Bypass (CVE-2019-19507) in `jpv`
In addition to regular vulnerability data research, the Sonatype Security Research Team also contributes to the open-source community by going the extra mile when we discover flaws that were previously not reported. Recall, earlier this year when our team had discovered they could bypass a fix made to the SheetJS ... Read More
