Read about application security, DevSecOps, license compliance, supply chain security, and malicious packages.
Open source code package repositories allow anyone to store or publish packages, and unfortunately that can include packages containing malware. These are known as malicious packages. Read on to learn about what they are and how they work.
A new malicious package named 'Vibranced' has been detected on the Node Package Manager (npm) repository and poses a significant threat to users who may unknowingly install it. The package has been carefully crafted to mimic the popular ‘colors’ package.
Malicious packages are a growing threat, and they may already have infiltrated your applications. Malicious package attacks spiked significantly from 2021 to 2022, further indication of their growing security risk to the open source ecosystem. Mend.io research observed a 315 percent spike in the publication of malicious packages to open source registries such as npm...
Research from Mend.io’s new Malicious Packages Special Report: Attacks Move Beyond Vulnerabilities illustrates the growing threat of malicious packages, including a 315 percent increase in attacks from 2021 to 2022.
Discover how integrating AppSec into your repository, like Bitbucket Cloud, can improve and simplify your application security.
Learn about the risks posed by leaked code and malicious packages at Russian tech giant Yandex.
Mend researchers identify a new type of malicious code that deletes directories.
Our team detected an attack on npm packages that utilized typosquatting to compromise nearly 300 NPM packages.
Over the past three days, the Mend research team identified two separate attacks that published malicious packages to npm: reverse remote shell as part of typosquatting attack on the popular ‘cors’ package, and an ATO attack on the “Just Eat” organization.
Mend Research uncovered an unusual attack in RubyGems that exploited a previously existing package with a significant number of downloads to launch a typosquatting attack.
Another week, another supply chain incident. It’s been only nine days since the Mend research team detected the dYdX incident, and today we have detected another supply chain malicious campaign.
San Francisco-based dYdX, a widely used decentralized crypto exchange with roughly $1 billion in daily trades, has had its NPM account hacked in a software supply chain attack detected by Mend Supply Chain Defender
By comparing current malicious package trends with malware’s evolution over the past 20 years, we can predict a likely future direction for malicious packages.
The Mend research team analyzes a malicious package in which the harmful code is not only in a JSON file, but is also fully encrypted.
Discover why npm is susceptible to RCE, why it’s such a serious threat, the characteristics of RCE in npm, what should be done to stop it, and how Mend Supply Chain Defender achieves this.
Monero (XMR) is an open-source, privacy-oriented cryptocurrency that was launched in 2014. It uses a public distributed ledger containing technology that obscures transaction details to ensure the anonymity of its users. Monero maintains egalitarian mining, allowing anyone to participate. As tempting as it may seem, some go a step further and use the infrastructure of...
Mend Supply Chain Defender reported and blocked a massive dependency confusion attack involving a single author uploading 168 packages to npm.
Understand how software supply chains work in large enterprises, discover the most important elements of software supply chain management, and how Mend can address them.
On June 6th, 2022, the Mend research team detected and flagged a malicious dependency confusion attack in npm exfiltrating Windows SAM and SYSTEM files.
Mend security analyzed the possible impact of a newly discovered RubyGems vulnerability that uses cache poisoning to implement an unauthorized takeover of new gem versions.
Mend security team blocked a malicious npm package that uses a novel approach to disguise and execution.
Using data from Supply Chain Defender, the Mend research team conducted an impact analysis of a recent critical CVE disclosed for RubyGems.
Mend security has uncovered malicious packages using hex encoding and delayed execution
From the factory floor to online shopping, the benefits of automation are clear: Larger quantities of products and services can be produced much faster. But automation can also be used for malicious purposes, as illustrated by the ongoing software supply chain attack targeting the NPM package repository. By automating the process of creating and publishing...
Understand the types of Ruby supply chain attacks. Learn the best practices for preventing supply chain security risks in your Ruby projects.
Mend Supply Chain Defender detected and reported more than 1,300 malicious npm packages in 2021, and its researchers have developed this list of facts that are vital to understanding npm package security
Mend Supply Chain Defender detects the new release of a package called @maui-mf/app-auth that used a vector of attack similar to the server side request forgery (SSRF) attack against Capital One in 2019
A popular npm package with more than 7 million weekly downloads was compromised, bringing supply chain security into the headlines once again.