sonatype intelligence
From SBOMs to AI BOMs: Why SPDX 3.0 Matters
Software bill of materials (SBOM) strategies are rapidly evolving. What began as a way to track open source components for compliance and vulnerability management is quickly expanding into something much larger: a ...
Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target
Why bother hunting for a CVE when you can just publish malicious code straight into the software supply chain? That’s the story behind the latest wave of Shai-Hulud-related npm compromises, which recently ...
Building Trusted AI Development With Kiro and Sonatype Guide
AI-powered development tools accelerate the production of software. But they also introduce a familiar challenge: how do you ensure that what's generated is secure, compliant, and trustworthy? ...
Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition
Software supply chain security is maturing. The practitioners leading that charge deserve more than a customer portal ...
AI Is Hard Work
"Opportunity is missed by most people because it is dressed in overalls and looks like work."— Thomas A. Edison ...
Sonatype Guide: Giving AI the Context It Needs
AI coding assistants promised to transform software development. And in many ways, they have: coding tasks that once took hours now take minutes, boilerplate nearly writes itself, and entire teams have leveled ...
The Second Coming of Shai-Hulud: Attackers Innovating on npm
The Shai-Hulud campaign is back, but this time with improved automation, persistence tactics, and a new name. In a matter of days, the self-replicating "Sha1-Hulud"Â malware has resulted in thousands of malicious packages, ...
Why the World’s Vulnerability Index Cannot Keep Up
The Common Vulnerabilities and Exposures (CVE) system has been called the backbone of modern cybersecurity. For decades, it's been the shared language connecting scanners, advisories, compliance frameworks, and government policy ...
