Lottie Player compromised in supply chain attack — all you need to know

Lottie Player compromised in supply chain attack — all you need to know

Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a span of a ...
Counterfeit Lodash attack leverages AnyDesk to target Windows users

Counterfeit Lodash attack leverages AnyDesk to target Windows users

npm packages identified by Sonatype recently are named similar to the vastly popular JavaScript library, lodash. These packages abuse typosquatting and carry within them a modified version of AnyDesk utility to target ...
'Netfetcher' package drops illicit 'node' binary on Windows

‘Netfetcher’ package drops illicit ‘node’ binary on Windows

Recently identified PyPI packages called "netfetcher" and "pyfetcher" impersonate open source libraries and target Windows users with malicious executables that have a zero detection rate among leading antivirus engines. Furthermore, some of ...
Ideal typosquat 'solana-py' steals your crypto wallet keys

Ideal typosquat ‘solana-py’ steals your crypto wallet keys

The legitimate Solana Python API project is known as "solana-py" on GitHub, but simply "solana" on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor ...
'cors-parser' npm package hides cross-platform backdoor in PNG files

‘cors-parser’ npm package hides cross-platform backdoor in PNG files

'cors-parser' is neither a cure for Cross-Origin Resource Sharing (CORS) vulnerabilities nor a "parser" for interpreting same-origin policies of a website. Instead, the npm package employs a form of steganography to download ...
Russia-linked 'Lumma' crypto stealer now targets Python devs

Russia-linked ‘Lumma’ crypto stealer now targets Python devs

Imagine being a developer who's building the next-gen crypto app by using popular open source components to speed up coding. Instead, you end up including a package in your build that, does ...
Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’

We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity ...
Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'

Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’

We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity ...
CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

Yet another remote code execution vulnerability in Apache’s Struts2 Framework has been discovered - leaving many with strong feelings of Deja Vu. If you're a developer, it's not unreasonable to be concerned ...

Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack

Earlier today, Ledger, a maker of hardware wallets for storing crypto, announced that they had identified malicious software embedded in one of their open source packages called @ledgerhq/connect-kit. This package is widely ...