Sonatype reveals DevOps and SecOps leaders’ views on generative AI

While the tech community remains divided on the potential of generative AI tools, there's a consensus that their impact on the industry is comparable to the adoption of cloud technology.

Software engineers are harnessing generative AI to explore libraries, create new code, and enhance their development process, while application security professionals employ it for code analysis and security testing.

A recent survey conducted by Sonatype in the US sheds light on how...

12 September 2023 | Artificial Intelligence

Malicious PyPI package discovered in ongoing ‘PaperPin’ campaign

In a recent analysis conducted by Sonatype, a malicious Python Package Index (PyPI) package named 'VMConnect' was discovered masquerading as the legitimate VMware vSphere connector module 'vConnector'.

The counterfeit package was found to contain sinister code designed to compromise users' systems. Further investigation revealed an ongoing campaign involving additional packages like "ethter" and "quantiumbase," all sharing the same structure and payload.

The 'VMConnect'...

4 August 2023 | Hacking & Security

Sonatype uncovers further malicious PyPI and npm packages

Sonatype continues to uncover a significant number of malicious packages within the PyPI and npm software registries.

Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm "colors" library.

The malicious packages, including names such as "broke-rcl," "brokescolors," and "trexcolors," exclusively targeted the Windows operating system. Once installed, these packages would initiate the...

23 June 2023 | Developer

80% of Spring framework downloads are exploitable versions

Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions.

Spring is a mighty popular framework—often ranking in the top three most-used Java frameworks. That’s why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher ahead of an official CVE publication.

Spring4Shell allows unauthenticated remote code execution. This week, the US...

5 April 2022 | Frameworks

Sonatype analysis reveals a 73 percent surge in open-source demand

A report from Sonatype has revealed a 73 percent surge in the demand for open-source despite a year of high profile vulnerabilities.

The growing use of open-source to keep up with the pace of modern development makes it a prime target for cybercriminals. We’ve seen this multiple times in practice over the past year with devastating attacks like that on SolarWinds even making national headlines for its widespread implications.

In fact, Sonatype’s report highlights a...

15 September 2021 | Hacking & Security

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

17 June 2021 | Development Tools

Sonatype: COVID-19 causes 28% drop in UK software development

New research from Sonatype suggests COVID-19 has caused a 28 percent drop in UK software development.

COVID-19 has gripped countries around the world and grinded their economies to a halt. Britain’s furlough scheme – seeing the state pay 80% of people’s wages – has prevented the level of job losses seen in many countries, but that’s still over 7.5 million people currently sitting idle.

Sonatype measured open-source software download requests from The Central...

21 May 2020 | Developer