DevZone
SAST vs. DAST: Enhancing application security
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
SAST vs. DAST: Enhancing application security
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
npm packages caught exfiltrating Kubernetes config, SSH keys
The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external ...
New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
A guide for open source software (OSS) security
When you search for a dependable open source software (OSS) component to integrate into your software supply chain, evaluation of the component’s security emerges as a critical task. This involves not only ...
Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module
This month, we analyzed a malicious PyPI package called ‘VMConnect,’ which has been designed to strongly resemble the legitimate VMware vSphere connector module, ‘vConnector’, except it hides sinister code within ...
Getting started with the Secure Software Development Framework (SSDF)
In today’s software-driven world, it’s crucial to ensure the security of software during development. Yet many software development life cycle (SDLC) models lack specific emphasis on software security, requiring the addition of ...
“Quoi…? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer
We’ve got a rather interesting malicious finding this month to talk about, the one that mixes a meme with malware ...
A Closer Look: Differentiating Software Vulnerabilities and Malware
In today’s interconnected digital world, vulnerabilities and malware in open source software pose significant threats to the security and integrity of your software supply chain. While these two terms may appear synonymous ...
npm Manifest Confusion – What Is It and Do You Really Need to Worry About It?
Yesterday, Darcy Clarke, a software developer and a former npm CLI team Engineering Manager, steered everyone’s attention towards a gap in the npm registry website – what he calls “manifest confusion.” ...