Breaking news, security deep dives, developer culture and coffee from the stewards of Maven Central.
‘Bloat free’ Data Exfiltration Technique
Malicious ‘rustdecimal’ Crate Found in Rust Repository
Ongoing Campaign Targets ‘colors’ Library
Apache Kafka Project Clone Leverages Dependency Confusion
PyPI Package ‘ctx’ and PHP Library ‘phpass’ Compromised to Steal Environment Variables
New ‘pymafka’ Malicious Package Drops Cobalt Strike on macOS, Windows, Linux
VMware VSphere Dependency Confusion Attempt Caught by Sonatype
500+ Malicious npm Packages Caught by Sonatype
PyPI Takes Down Malicious ‘Distutil’ Package Imitating ‘distutils'
Rise in ‘Protestware’ During Russia-Ukraine Crisis
Careful Out There: Open Source Attacks Continue To Be On the Uptick
New ‘colors-2.0’, ‘colors-3.0’ Packages Are Malicious
A Cryptic ‘Reverse Shell’ Found Lurking in PyPI Packages
86 Malicious npm Packages Named After Popular NodeJS Functions
Malicious PyPi Packages Steal Your Roblox Security Cookies and Discord Tokens
PyPI, NuGet, and npm Flooded With Roblox and Fortnite Spam
Trojanized PyPI Package Imitates a Popular Python Server Library
jQuery npm Typosquat Has a Fishy Surprise
Massively Popular "Colors" and "Faker" npm Libraries Sabotaged
PyPI Flooded With More Than 1,200 Dependency Confusion Packages
Crypto App Faces $5 Million Ransom Demand Following Log4j Hack
Log4j Zero-day Sets the Internet on Fire With 'Log4Shell' Attacks
Malicious PyPI Packages With 10,000 Downloads Taken Down
Popular Library "coa" Gets Hijacked in an Identical Style as "ua-parser-js"
Hours After "coa" Hijack Is Discovered, "rc" Is Hijacked, Too
Newly Found npm Malware Mines Cryptocurrency on Multiple Devices
Popular "ua-parser-js" Library Attacked
Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise
Cryptocurrency Heist Stemmed from a Malicious GitHub Commit
Microsoft’s WinGet Flooded With Duplicate, Malformed Apps
“CursedGrabber” Malware Discovered
Counterfeit Components Discovered in the npm Ecosystem
New npm Malware With Bladabindi Trojan Spotted
Brandjacking Malware Found in npm
Multiple npm Packages Vulnerable to Typosquatting Attacks
Hundreds of Malware Gems found on RubyGems
Microsoft Spots Malicious JavaScript Package
Trojanized Python Libraries Removed
Computers Running Malicious npm Package Considered “Fully Compromised”
Prototype Pollution Vulnerability Continues to Cause Problems
Compromised Version of rest-client Maintainer Stole credentials, Installed Crypto Miners
Malicious Package Removed From npm Repository
Malicious Python Libraries Removed From PyPI
RubyGems Component Found to Contain Malicious Code
Cryptocurrency Attack on npm via Malicious Code Injection
23 Malicious RubyGems Packages Discovered
Backdoored RubyGems Package Allows Remote Code Execution
Malicious Package Injected Into Popular npm Package
Compromised JavaScript Package Caught Stealing npm Credentials
Homebrew Repository Compromised
Backdoored npm Package Discovered
Backdoored PyPI Package Discovered
Deleted GitHub Account Resurrected by Unknown User
npm Credentials Intentionally Compromised
“I’m harvesting credit card numbers and passwords from your site. Here’s how.”
Have an awesome story, news tip, a suggestion to share? Drop our editorial team a note at devzone@sonatype.com
Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102
Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia
London Office -168 Shoreditch High Street, E1 6HU London
Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.
Terms of Service Privacy Policy Modern Slavery Statement Event Terms and Conditions Do Not Sell My Personal Information