dependency confusion
GitHub Fights Forks — Millions of Them — Huge Software Supply Chain Security FAIL
Forking hell: Scrotebots clone thousands of projects, injecting malware millions of times ...
New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
John Deere dependency confusion attempt flagged by Sonatype
This week Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug bounty ...
npm package downloads another package while exfiltrating your IP address and username
On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI ...
This Week in Malware—Malicious ‘Distutil’ and Spring4Shell active exploitation
This week in malware we have a lot to go over. A mysterious 'Distutil' Python library found on the PyPI repository, active Spring4Shell exploitation by threat actors deploying crypto-miners, ProxyShell exploits targeting ...
VMware VSphere dependency confusion attempt caught by Sonatype
Last week, Sonatype discovered a dubious package 'vapi-client-bindings' published to the PyPI open source repository. The discovery was made by Sonatype's automated malware detection bots ...
Why are dependency confusion attacks not going away?
Ever since the dependency confusion (or namespace confusion) technique gained widespread attention in early 2021, we are yet to see the momentum around these attacks slow down ...
PyPI Flooded with 1,275 Dependency Confusion Packages
Sonatype’s automated malware detection platform Nexus Firewall has flagged multiple dependency confusion packages on the PyPI registry today, all uploaded by the same user. On January 23rd, PyPI user arturlebedev began flooding ...
Are You Still Wondering About Dependency Confusion Attacks?
Recently, the Biden White House released an Executive Order detailing new requirements to address cybersecurity and secure software development, as it relates to national security. This order addresses a variety of issues ...
