The npm code repository is again being used by a bad actor to launch a supply chain attack that includes three dozen malicious packages that appear as Strapi CMS plugins but deliver a range of threats. Strapi is a popular open source headless Node.js content management system developers use to build, manage, and expose content […]
North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project
The threat actor targeted a highly popular open source project with more than 100 million weekly downloads, creating a large “blast radius.”
Two Malicious npm Packages Aim to Steal Credentials and Other Secrets
Bad actors took over a npm maintainer account and have published two malicious packages designed to steal credentials, API keys, and other secrets from the computers of victims who download them from the repository. Analysts with Sonatype’s Security Research Team wrote in a report that the two packages – sbx-mask and touch-adv – likely are […]
Securing Open Source Components in a World of Mixed Committer Motivations
Our world runs on software that contains open source components. This places an increased burden on developers, as the primary consumers and deployers of those components, to use code that is fully up-to-date and secure. The vast majority of open source committers with write access to project repositories remain focused on maintaining and making positive […]
Sonatype Report Surfaces Scope of Known Vulnerability Challenge
Sonatype this week published a State of the Software Supply Chain Report that found a 633% year-over-year increase in malicious attacks aimed at open source software residing in public repositories. In addition, Sonatype launched a Sonatype Safety Rating system that employs machine learning algorithms and other metrics to identify the most secure open source components […]
Sonatype Report Shows Spike in Supply Chain Attacks
Sonatype today released a report that finds there has been a 650% year-over-year increase in supply chain attacks aimed at upstream public repositories. Cybercriminals hope to compromise these repositories by injecting malware into software components that many organizations might be using, according to the report. The seventh annual State of the Software Supply Chain Report […]
Sonatype Acquires MuseDev to Add Code Analysis
Sonatype today revealed it has acquired MuseDev, a provider of a code analysis tool, in addition to updating its Nexus platform for discovering vulnerabilities in software supply chains. Muse analyzes code each time a pull request is made, which makes it easier for developers to discover and address issues long before they commit code. Muse […]
DevSecOps Trends to Know For 2021
For DevSecOps leaders, 2021 will be the year of the open source supply chain attack. It’s already starting, in fact. On January 7, security researchers at Sonatype identified three malicious Java components in the Maven Central repository. The components had identical names to reputable components. Then on January 20, the same research team found three […]
Sonatype Expands its Fully Automated Open Source Security and Governance Solution to Support C/C++, PHP, and Ruby
Nexus Lifecycle now allows users to scan applications for open source software vulnerabilities, automatically enforce open source governance policies, and easily remediate open source risk for 27 different languages and package formats. Fulton, MD – March 12, 2020 — Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today […]
Vista Equity Partners Acquires Majority Interest in DevOps Leader Sonatype
Partnership to Accelerate Global Growth and Innovation for Automating Open Source Governance and Software Supply Chain Hygiene FULTON, MD., Nov. 18, 2019 (GLOBE NEWSWIRE) — Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today announced it has signed a definitive agreement to receive a majority investment from Vista Equity Partners (“Vista”), […]
- 1
- 2
- 3
- …
- 6
- Next Page »