$: DevZone |

Life is hard. Dependencies don't have to be.

Breaking news, security deep dives, developer culture and coffee from the stewards of Maven Central.

88,217

Malicious Packages Discovered

15,091

Malicious Packages Disclosed

Last Updated: Aug 4, 2022
88,217

Malicious Packages Discovered

15,091

Malicious Packages Disclosed

Last Updated: Aug 4, 2022

A History of Software Supply Chain Attacks

icon_cryto_mining
JULY 2022

PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts

A Python Cryptominer Targeting Windows, Linux, macOS

icon_trojan_horse
JUNE 2022

npm Malware Exfiltrates Windows SAM, Amazon EC2 Credentials

Malware Kills Windows Defender to Drop a Trojan

PyPI Packages Exfiltrate AWS Keys, env vars, Secrets

icon_code_bomb
MAY 2022

Ongoing Campaign Targets ‘colors’ Library

PyPI Package ‘ctx’ and PHP Library ‘phpass’ Compromised to Steal Environment Variables

New ‘pymafka’ Malicious Package Drops Cobalt Strike on macOS, Windows, Linux

Malicious ‘rustdecimal’ Crate Found in Rust Repository

Apache Kafka Project Clone Leverages Dependency Confusion

‘Bloat free’ Data Exfiltration Technique

icon_broken_shield
APRIL 2022

VMware VSphere Dependency Confusion Attempt Caught by Sonatype

500+ Malicious npm Packages Caught by Sonatype

PyPI Takes Down Malicious ‘Distutil’ Package Imitating ‘distutils'

Rise in ‘Protestware’ During Russia-Ukraine Crisis

icon_hacker
MARCH 2022

Careful Out There: Open Source Attacks Continue To Be On the Uptick

New ‘colors-2.0’, ‘colors-3.0’ Packages Are Malicious

A Cryptic ‘Reverse Shell’ Found Lurking in PyPI Packages

86 Malicious npm Packages Named After Popular NodeJS Functions

icon_crypto_mining
FEBRUARY 2022

Malicious PyPi Packages Steal Your Roblox Security Cookies and Discord Tokens

PyPI, NuGet, and npm Flooded With Roblox and Fortnite Spam

Trojanized PyPI Package Imitates a Popular Python Server Library

jQuery npm Typosquat Has a Fishy Surprise

icon_keyboard
JANUARY 2022

Massively Popular "Colors" and "Faker" npm Libraries Sabotaged

PyPI Flooded With More Than 1,200 Dependency Confusion Packages

icon_code_bomb
DECEMBER 2021

Crypto App Faces $5 Million Ransom Demand Following Log4j Hack

Log4j Zero-day Sets the Internet on Fire With 'Log4Shell' Attacks

Malicious PyPI Packages With 10,000 Downloads Taken Down

icon_trojan_horse
NOVEMBER 2021

Popular Library "coa" Gets Hijacked in an Identical Style as "ua-parser-js"

Hours After "coa" Hijack Is Discovered, "rc" Is Hijacked, Too

icon_crypto_mining
OCTOBER 2021

Newly Found npm Malware Mines Cryptocurrency on Multiple Devices

Popular "ua-parser-js" Library Attacked

Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

icon_skimming
SEPTEMBER 2021

Cryptocurrency Heist Stemmed from a Malicious GitHub Commit

icon_broken_shield
JULY 2021

Kaseya

icon_code_bomb
MAY 2021

Microsoft’s WinGet Flooded With Duplicate, Malformed Apps

icon_hacker
APRIL 2021

Codecov

icon_keyboard
FEBRUARY 2021

Namespace Confusion

icon_trojan_horse
DECEMBER 2020

SolarWinds

NOVEMBER 2020

“CursedGrabber” Malware Discovered

Counterfeit Components Discovered in the npm Ecosystem

New npm Malware With Bladabindi Trojan Spotted

icon_code_bomb
OCTOBER 2020

Brandjacking Malware Found in npm

icon_keyboard
AUGUST 2020

Multiple npm Packages Vulnerable to Typosquatting Attacks

icon_code_bomb
MAY 2020

Octopus Scanner

icon_broken_gem
APRIL 2020

Hundreds of Malware Gems found on RubyGems

icon_code_bomb
JANUARY 2020

Microsoft Spots Malicious JavaScript Package

icon_trojan_horse
DECEMBER 2019

Trojanized Python Libraries Removed

NOVEMBER 2019

Computers Running Malicious npm Package Considered “Fully Compromised”

Prototype Pollution Vulnerability Continues to Cause Problems

icon_broken_gem
OCTOBER 2019

Gem Packages Pulled From Repo

icon_crypto_mining
AUGUST 2019

Compromised Version of rest-client Maintainer Stole credentials, Installed Crypto Miners

Malicious Package Removed From npm Repository

icon_code_bomb
JULY 2019

Malicious Python Libraries Removed From PyPI

RubyGems Component Found to Contain Malicious Code

icon_hacker
JUNE 2019

Cryptocurrency Attack on npm via Malicious Code Injection

23 Malicious RubyGems Packages Discovered

icon_broken_gem
MARCH 2019

Backdoored RubyGems Package Allows Remote Code Execution

icon_injection
NOVEMBER 2018

Malicious Package Injected Into Popular npm Package

JULY 2018

Compromised JavaScript Package Caught Stealing npm Credentials

Homebrew Repository Compromised

icon_code_bomb
JUNE 2018

Linux Distro Hacked on GitHub

icon_back_door
MAY 2018

Backdoored npm Package Discovered

Backdoored PyPI Package Discovered

icon_hacker
FEBRUARY 2018

Deleted GitHub Account Resurrected by Unknown User

npm Credentials Intentionally Compromised

icon_skimming
JANUARY 2018

“I’m harvesting credit card numbers and passwords from your site. Here’s how.”

icon_keyboard
SEPTEMBER 2017

PyPI Typosquat

JULY 2017

Typosquatting Attack on npm

npm Credentials Published Online

17 Backdoored Images Created on Docker Hub

Stay In the Know

Sign up for the DevZone newsletter.

Have an awesome story, news tip, a suggestion to share? Drop our editorial team a note at devzone@sonatype.com