The threat landscape is evolving at an unprecedented pace, and 2025 is shaping up to be a pivotal year for security professionals ...
Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a span of a ...
npm packages identified by Sonatype recently are named similar to the vastly popular JavaScript library, lodash. These packages abuse typosquatting and carry within them a modified version of AnyDesk utility to target ...
Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of ...
The legitimate Solana Python API project is known as "solana-py" on GitHub, but simply "solana" on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor ...
'cors-parser' is neither a cure for Cross-Origin Resource Sharing (CORS) vulnerabilities nor a "parser" for interpreting same-origin policies of a website. Instead, the npm package employs a form of steganography to download ...
Imagine being a developer who's building the next-gen crypto app by using popular open source components to speed up coding. Instead, you end up including a package in your build that, does ...
We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity ...
We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity ...
Yet another remote code execution vulnerability in Apache’s Struts2 Framework has been discovered - leaving many with strong feelings of Deja Vu. If you're a developer, it's not unreasonable to be concerned ...
2025 predictions: Threats
Lottie Player compromised in supply chain attack — all you need to know
Counterfeit Lodash attack leverages AnyDesk to target Windows users
‘Netfetcher’ package drops illicit ‘node’ binary on Windows
Ideal typosquat ‘solana-py’ steals your crypto wallet keys
‘cors-parser’ npm package hides cross-platform backdoor in PNG files
Russia-linked ‘Lumma’ crypto stealer now targets Python devs
Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’
Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’
CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component