Sonatype @sonatype

New React2Shell RCE vulnerabilities highlight a growing challenge for every modern software organization: the expanding risk surface created by generative and agentic AI-accelerated development. Even widely trusted frameworks like React and Next.js can introduce pathways for remote code execution — sometimes without developers realizing the server-side behaviors involved. Our latest blog breaks down the incident and detailed remediation guidelines. Take a look to learn more: lnkd.in/gkVBC-YK #OpenSourceSecurity #DevSecOps #React #SoftwareSupplyChain

Application security is moving fast. Is your team keeping up? Gartner’s new “Hype Cycle for Application Security, 2025” reveals the strategies leading organizations use to cut security incidents by up to 70%—without slowing their release cycles. Ready to stay ahead of emerging threats, streamline DevSecOps, and enable secure innovation? Get the insights your team needs to compete and win. Download the Gartner Application Security Hype Cycle lnkd.in/giiUBr_2 #ApplicationSecurity #DevSecOps #Cybersecurity

Nexus Repository Cloud helps you stay one step ahead by detecting malware in both open source components and AI/ML models — directly in your proxy repository. Add Sonatype Repository Firewall to block and remove risky packages before they ever hit your pipeline. 🛡️ Built for teams shipping faster in the AI era Try it free with 6-month, 500GB promo lnkd.in/gxCszKkV?utm_c… #RepoCloud #SoftwareSupplyChain #AIModelSecurity #DevSecOps #MalwarePrevention

Introducing Nexus One — a cloud-first, developer-centric, and AI-native platform. Built on 15+ years of research and the world’s most comprehensive OSS data, Nexus One helps teams build faster, safer, and smarter. Explore Nexus One: lnkd.in/gmN79dVw?utm_c…

The Latest on npm Supply Chain Attack x.com/i/broadcasts/1…

🚨 Another active attack targeting npm developers — and this one spreads itself. We break down the evolving #ShaiHulud campaign, a new wave of self-propagating malware targeting #npm publishers: ➡️ Over 180+ compromised packages tracked so far ➡️ Multi-stage payloads exfiltrate credentials, poison repos, and auto-spread ➡️ A wake-up call: open source developers are the new frontline Get the latest updates here: bit.ly/41WlxPY #SoftwareSupplyChain #npmSecurity #OpenSourceSecurity #Malware #DevSecOps #CyberSecurity #SupplyChainAttack

Thanks for reaching out — the OWASP In Ten ZAP videos aren’t currently hosted, but we’ve got some updated OWASP-related resources you might find helpful: The OWASP LLM Top 10 + Supply Chain Security: sonatype.com/blog/the-owasp… Data & Model Poisoning in the AI Era: sonatype.com/blog/the-owasp… AI + OWASP topics in our recent webinar (starts ~6min in): webinars.sonatype.com/wcc/eh/5011667…

🚨 New research: Lazarus Group targets developers through open source malware Since January, Sonatype has uncovered 234 malicious packages tied to the North Korea-backed group — deployed via npm and PyPI to exfiltrate secrets, drop payloads, and surveil developers. 📦 120+ used multi-stage droppers 🔐 90+ focused on secrets exfiltration 🎯 36,000 potential victims Our latest whitepaper breaks down the tactics, payloads, and what security teams can do to stay protected. Get the report: bit.ly/3HaoR2I #OpenSourceSecurity #MalwareCampaign #DevSecOps #CyberThreats #SoftwareSupplyChain #ThreatIntel

In finance, trust is everything, and that extends to your #softwaresupplychain. 🔐 Sonatype is trusted by over 70% of the Fortune 100, including leading global banks and insurers, to secure their open source components and reduce software risk at scale. Explore how Sonatype supports the financial services industry: bit.ly/4ezBcK2 #FinancialServices #Cybersecurity #Sonatype #DevSecOps

LLMs are powerful, but their outputs aren’t always safe. Improper output handling can lead to code injection, outages & compliance failures. Learn how Sonatype helps teams validate LLM responses before they reach production: bit.ly/46ooU5c #AIsecurity #OWASP #DevSecOps #LLM

Security and speed don’t have to compete. Discover how Sonatype enables teams to streamline software composition analysis (#SCA) with automated solutions that scale, reducing manual effort while enhancing their risk posture. 🔐 Read the blog: bit.ly/4kjvf6h #DevSecOps #AppSec #SoftwareSecurity #Automation #Sonatype

Java changed everything — igniting the open source revolution and redefining modern software development. In this deep dive from @thenewstack, Sonatype CTO and co-founder Brian Fox reflects on the early days of open source and the movement that followed, in conversation with Darryl Taft. 📖 Read the full story: bit.ly/3Hw5nFs #OpenSource #Java30 #SoftwareInnovation #Sonatype #DevHistory

Streamline security without slowing innovation. Discover how one financial enterprise used Sonatype Lifecycle to scale security, boost efficiency, and reduce risk: 📈 3x faster onboarding 🔍 335% more scans 🛡️ 25% fewer critical risks Read the full story: bit.ly/43ISDTH #AppSec #DevSecOps #OpenSourceSecurity #FinancialServices #CustomerStory #SonatypeSuccess

Data and model poisoning attacks are on the rise — and they threaten the integrity of AI at its core. In part two of our OWASP LLM Top 10 blog series, we break down how Sonatype helps organizations detect and prevent poisoning attacks before they compromise your models. 🔍 Identify poisoned packages ⚠️ Enforce policies that block tainted data 📦 Track AI/ML components with SBOMs 📊 Learn what our research uncovered in top AI ecosystems Read the blog: bit.ly/44K8XWj #AI #SoftwareSupplyChain #ModelPoisoning #DevSecOps #Sonatype #OWASP

Are your AI models compliant and secure? Sonatype’s discovery of four picklescan bypasses is a wake-up call for any team using open source AI. Insecure models can silently introduce risk into your environment—long before they reach production. Read the whitepaper to strengthen your defenses and ensure the integrity of your AI supply chain: bit.ly/43BXxmh #AI #PyTorch #OpenSourceSecurity #SoftwareSupplyChain #DevSecOps #AICompliance

Software supply chain security isn’t just an IT issue anymore — it’s a boardroom priority. With attacks on open source rising 156% in 2024 and new regulations taking effect, executives must lead with proactive strategies that balance innovation, risk, and compliance. Explore our latest executive brief with The Futurum Group to understand the evolving landscape and how to align software security with business outcomes. 📖 Read the brief: bit.ly/3YVZ3Nn #SoftwareSecurity #CISO #BoardroomSecurity #SupplyChainSecurity #CyberResilience #ExecutiveLeadership #Sonatype

🚨 Software attacks are on the rise — and regulators are responding. bit.ly/4iac7FT Our latest executive brief with The Futurum Group explains why 2025 is a defining year for software security, compliance, and board-level accountability. Learn what every executive needs to know: ✔️ Key risks driving regulation ✔️ Questions boards should be asking ✔️ How to align software security with business outcomes #SBOM #DevSecOps #CISO #CIO #OpenSourceSecurity #Compliance

A new Apache Tomcat vulnerability (CVE-2025-24813) was exploited within hours of disclosure, and the threat is real and growing. Learn why this flaw is so dangerous, and what teams must do to stay protected. bit.ly/42apLEl #ApacheTomcat #CyberSecurity #SoftwareSupplyChain #OpenSourceSecurity #DevSecOps #ApplicationSecurity

Open source malware isn’t slowing down. It’s getting smarter. Sonatype’s Open Source Malware Index Q1 2025 reveals a sharp rise in data exfiltration attacks targeting developers — and the stakes are only getting higher. 📈 17,954 new malicious packages identified 📤 56% of them focused on stealing sensitive data 🏦 Financial services, government, and energy sectors were hit hardest 🧠 Open source malware is evolving — less noise, more real threats Sonatype blocked over 22,000 attacks this quarter alone with Repository Firewall. Get the full report and see what your team needs to know to stay ahead: bit.ly/4luWjk3 #OpenSourceSecurity #SoftwareSupplyChain #CyberSecurity #DevSecOps #OpenSourceMalwareIndex

🚨 A data exfiltration campaign was discovered with 10 popular npm crypto packages hijacked — now repurposed to steal sensitive environment variables from unsuspecting developers. bit.ly/422frNa Some of these components have been trusted for nearly a decade and downloaded hundreds of thousands of times. Now, their latest versions are laced with obfuscated info-stealing code. Sonatype researchers uncovered the threat and our tools are already blocking it. Read the full blog here: bit.ly/422frNa #OpenSourceMalware #SoftwareSupplyChain #npm #Malware #InfoStealer #CryptoSecurity #DevSecOps