Discord.dll: successor to npm “fallguys” malware went undetected for 5 months

This week, the Sonatype Security Research team has identified a series of counterfeit components in the npm ecosystem. These intentionally malicious packages seem to be doing similar, shady things to the malicious ...

Discord squashes critical Electron bugs: open source attacks continue to grow

My colleague has two kids, ages 9 and 12.  Since the COVID lockdowns they have been playing more online games and each of them use Discord to chat with their friends during ...

CVE-2020-17479: The return of Validation Bypass (CVE-2019-19507) in `jpv`

In addition to regular vulnerability data research, the Sonatype Security Research Team also contributes to the open-source community by going the extra mile when we discover flaws that were previously not reported ...

Nexus Intelligence Insights:CVE-2020-13935 – Apache Tomcat Websocket – Denial of Service (DoS)

For July’s Nexus Intelligence Insight we take a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component ...

New in Nexus Repository 3.23: Nexus Intelligence via npm audit

We are excited to announce the official release of Nexus Repository 3.23. In this release, we continue the story of our enhanced JavaScript support with the new Nexus Intelligence via npm audit ...

Nexus Platform – 2019 Year in Review

Wow, is 2019 over? The year has gone by quickly and it’s probably because we have been so busy at Sonatype, continuing to develop new features for the Nexus Platform. Identifying market ...

The Dot Zero Conundrum and the New Frontier of Securing Open Source

Over the past two years, I’ve spoken about more than instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal ...