dependency confusion
GitHub Fights Forks — Millions of Them — Huge Software Supply Chain Security FAIL
Richi Jennings | | Apiiro, App Sec & Supply Chain Security, AppSec & Supply Chain Security, dependency confusion, dependency confusion attacks, GitHub, github application security, github bug, GitHub Exploit, GitHub repositories, GitHub Security Measures, github security scanning, GitHub Security Vulnerabilities, Open Source and Software Supply Chain Risks, open source software supply chain, open source software supply chain security, repo confusion, SB Blogwatch, secure software supply chain, software supply chain, software supply chain attack, software supply chain attacks, software supply chain automation, software supply chain hygiene, software supply chain risk, Software Supply Chain risks, software supply chain security, Software Supply Chain Security Weaknesses, supply chain, supply chain security, Supply-Chain Insecurity
Forking hell: Scrotebots clone thousands of projects, injecting malware millions of times ...
Security Boulevard
New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
John Deere dependency confusion attempt flagged by Sonatype
This week Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug bounty ...
npm package downloads another package while exfiltrating your IP address and username
Ax Sharma | | dependency confusion, DevZone, FEATURED, malware prevention, Nexus Firewall, Vulnerabilities
On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI ...
This Week in Malware—Malicious ‘Distutil’ and Spring4Shell active exploitation
This week in malware we have a lot to go over. A mysterious 'Distutil' Python library found on the PyPI repository, active Spring4Shell exploitation by threat actors deploying crypto-miners, ProxyShell exploits targeting ...
VMware VSphere dependency confusion attempt caught by Sonatype
Ax Sharma | | dependency confusion, DevZone, FEATURED, malware prevention, Nexus Firewall, Vulnerabilities
Last week, Sonatype discovered a dubious package 'vapi-client-bindings' published to the PyPI open source repository. The discovery was made by Sonatype's automated malware detection bots ...
Why are dependency confusion attacks not going away?
Ever since the dependency confusion (or namespace confusion) technique gained widespread attention in early 2021, we are yet to see the momentum around these attacks slow down ...
PyPI Flooded with 1,275 Dependency Confusion Packages
Ax Sharma | | dependency confusion, DevZone, FEATURED, Nexus Firewall, Product, PyPI, Vulnerabilities
Sonatype’s automated malware detection platform Nexus Firewall has flagged multiple dependency confusion packages on the PyPI registry today, all uploaded by the same user. On January 23rd, PyPI user arturlebedev began flooding ...
Are You Still Wondering About Dependency Confusion Attacks?
Luke Mcbride | | dependency confusion, FEATURED, Industry commentary, News and Views, Product, Supply Chain Attacks
Recently, the Biden White House released an Executive Order detailing new requirements to address cybersecurity and secure software development, as it relates to national security. This order addresses a variety of issues ...