Hijacking of popular ctx and phpass packages reveals open source security gaps
The Python module “ctx” and a fork of the PHP library “phpass” have recently been modified by an unknown attacker to grab AWS credentials/keys and send …
Sonatype
New infosec products of the week: May 13, 2022
Here’s a look at the most interesting products from the past week, featuring releases from Cohesity, ForgeRock, iDenfy, Nasuni, Orca Security, SecureAge, and Sonatype. …
Sonatype launches solution to remediate malicious and outdated InnerSource components
Sonatype announced a capability focused on identifying and remediating InnerSource components that contain vulnerable, malicious, or outdated open source dependencies. With …
What you need to look out for when installing packages from public repositories
In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, talks about the risks posed by malicious open source packages. Malicious packages can harm …
Spring4Shell: New info and fixes (CVE-2022-22965)
In this video for Help Net Security, Ax Sharma, Senior Security Researcher at Sonatype, talks about the latest developments regarding Spring4Shell, the unauthenticated RCE …
Sonatype exceeds $100 million in annual recurring revenue and names Alex Berry as President
Sonatype announced it has joined the ranks of the world’s most successful companies and surpassed $100 million in annual recurring revenue (ARR). The company also announced …
Log4Shell update: Attack surface, attacks in the wild, mitigation and remediation
Several days have passed since the dramatic reveal of CVE-2021-44228 (aka Log4Shell), an easily exploitable (without authentication) RCE flaw in Apache Log4j, a popular …
Securing open-source code supply chains may help prevent the next big cyberattack
The headline-making supply chain attack on SolarWinds late last year sent a shock wave through the security community and had many CISOs and security leaders asking: “Is my …
Popular npm package hijacked, modified to deliver cryptominers
Several versions of the npm package for UA-parser.js, a widely used JavaScript library, have been modified to include malicious code and have been made available for download. …
Open source cyberattacks increasing by 650%, popular projects more vulnerable
Sonatype released a report that revealed continued strong growth in open source supply and demand dynamics. Further, with regard to open source security risks, the report …
Saltworks collaborates with Bit Discovery to provide ASM capabilities to application security teams
Saltworks announced a partnership with attack surface management (ASM) provider Bit Discovery to integrate advanced ASM capabilities into SaltMiner, Saltworks’ enterprise …
OpenSSF adds new members from around the globe to improve OSS security
OpenSSF announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco …