Open Source Components Analyzed by Sonatype Intelligence:


A History of Software Supply Chain Attacks

July 2017–Present


MARCH 2023

W4SP Copycats Continue to Infiltrate PyPI Registry

A series of malicious packages uploaded to the PyPI registry have been identified as information stealers resembling the popular W4SP stealer. These copycats pose a serious threat to developers who may inadvertently install them, compromising the open-source software supply chain.

Microsoft-Helper Package Reveals Copycat Info-Stealer

The microsoft-helper package on PyPI is a malicious package designed to deploy malware when developers run pip install. It downloads a remote script containing a second-stage payload, which exfiltrates sensitive information through a Discord webhook.

PyPI Package Reverse-Shell Part of MaaS Initiative

The malicious package reverse-shell on PyPI appears to be part of a global malware-as-a-service (MaaS) initiative. It executes a file from GitHub called, which adds an application to the Windows Registry for persistence and launches a malicious script named, designed to exfiltrate sensitive information.

SylexSquad Behind Sophisticated Info-Stealer

SylexSquad is believed to be responsible for the reverse-shell package and the sophisticated info-stealer malware. The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send the data to the attacker's Discord channel.

OpenAI Data Breach Traced to Unpatched Redis Vulnerability

An unpatched software bug/vulnerability in an open-source component called Redis led to a data breach at OpenAI. The incident exposed subscribers' payment-related info and users' chat queries and resulted in Italy becoming the first Western country to ban ChatGPT.



httops Package Attempts to Sneak In Through GTA 5 Mods

The httops package included a payload encoded with base64 with a URL that leads to a website inviting people to download cheats for the video game Grand Theft Auto 5. Users might be inadvertently installing some type of backdoor or remote access trojan (RAT) along with the mods.

Info-Stealers Distributed via Python packages on the PyPI Registry

Our AI detected a series of information stealers uploaded to the PyPI registry. They resemble W4SP Stealer, a dangerous information stealer that has inspired copycats after their emergence as a means to attack software supply chains in July 2022.

Malware Campaign Floods PyPI with Thousands of Malicious Packages

Near the end of February, we tracked a malware campaign involving a threat actor infiltrating the PyPI software registry with thousands of malicious packages. The packages contain a Windows Trojan that downloads second-stage infection from a Dropbox URL.

Malicious ‘aptX’ Python Package Drops Meterpreter Shell, Deletes ‘netstat’

Our security researchers discovered a harmful Python package called aptX on PyPI designed to perform various detrimental activities, such as dropping malware, deleting the “netstat” utility, and tampering with the SSH authorized_keys file on the system.



Minimums Package Attempts to Download and Install a Trojan Virus

Some attackers are designing malware that validates the presence of a virtual machine before attempting to execute. Our AI flagged the minimums package and our security researchers confirmed it as malicious. The package contains a payload in the file that attempts to download a Trojan virus from a rogue server, install it, and log the installation result using a Discord webhook.

A Stack of Malicious Cryptominers Target Linux Systems

Our security research team uncovered a noticeable volume of cryptocurrency miners within the npm registry. In one of our finds, the malicious package speedtestgod contained a package.go file detected as a Trojan that targets Linux systems and attempts to mine cryptocurrency using unsuspecting victims’ resources. We found other packages using the same Trojan file and uncovered that 16 of these malicious cryptominers originated from a single account. The supposed threat actor was reported and removed from the npm registry.



Malicious 'Cabo Custody Restful' Attack Tries to Trick Developers Using MacOS

Some of the malicious packages detected by our AI targeted developers using Mac computers. With cobo-python-api, threat actors used dependency confusion to trick developers into downloading a tainted version of the crypto library ‘Cobo Custody Restful’. By uploading a compromised version with the same name on PyPI, attackers expect that the package manager (pip) used by developers will prioritize the malicious version over the legit GitHub version.

RAT Mutants Attack

Our system flagged (and helped take down) six malicious packages attacking Python developers by combining the capabilities of a remote access trojan (RAT) and information stealers. With names such as easytimestamp, pyrologin, discorder, discord-dev,, and pythonstyles, the malicious packages launch a PowerShell script that fetches a ZIP file and installs the libraries pynput, pydirectinput, and pyscreenshot that allows the attacker to control the target’s mouse and keyboard, and take screenshots.

PyTorch-nightly Build Compromised

PyTorch disclosed the compromise saying the attack exclusively affected users of the PyTorch-nightly build and not users of PyTorch stable packages. From December 25-30 2022, the nightly build downloaded a library called torchtriton—a dependency that executes a malicious binary when imported. PyTorch removed the counterfeit library as a dependency for nightly packages and replaced it with a dummy package registered on PyPI to prevent similar attacks.

Reverse Shell Invasion Caught

More in the series of malicious packages that establish a backdoor connection between the attacker and target using the reverse shell technique. After November 2022’s initial attack, our AI caught additional packages such as aidoc-consul, aidoc.genmfa, and aidoc-e23-utils that leveraged this attack vector.

Malicious __import__ Attempts Still Lurking

In another follow up to an attack in November 2022, our AI caught a series of packages on PyPI that concealed an important statement in their files by using spaces to create the illusion that there’s no malicious code in sight.



Malicious Reverse Shell and Bind Shell Scripts Taint Packages

We discovered packages such as tshawn-Irce and tshawn-wrce that were tainted with malicious reverse shell and bind shell scripts. Other packages our security researchers found, such as requests-dm, fastupdate, and discordxyz, looked for information on the target computer’s OS such as hostnames, IPs, credentials, and other configuration details with the purpose of exfiltrating such data to malicious servers.

pywx PyPI Package Attempts to Run Malicious Code From an External Source

Our security researchers found that this attack started by copying a legit package (object_pool in this case) and then injecting __import__ statement to run malicious code from an external source.



'JuiceLedger' Tries to Catch PyPI Maintainers Unaware

A phishing attack attempts to distribute a .NET-based malware, dubbed 'JuiceStealer,' that steals credential, browser, and cryptocurrency vault information and feeds the ill-gotten goods to a domain (linkedopports[.]com) purportedly controlled by JuiceLedger. This malware attempts delivery in a sequence of a phishing email purporting a validation process which in turn steals login credentials and subsequently drops malware into the packages of unsuspecting PyPI maintainers.



241 Cryptomining Packages Flood npm, PyPI

Sonatype's malware detection systems spotted 186 npm packages that were typosquats of popular libraries. All of these packages dropped cryptominers after infecting Linux systems. A security researcher, Hauke Lübbers, additionally discovered an identical attack on PyPI and shared with us a list of 55 offending Python packages.

PyPI Package ‘secretslib’ Drops Linux Malware to Mine Monero

Malicious 'secretslib' Python package drops second-stage payload in-memory to silently run XMRig and mine Monero.

‘Requests’ Library Typosquats Install Ransomware

We identified and analyzed multiple malicious Python packages that contain ransomware scripts and are typosquats of a legitimate, widely known library called 'Requests.'


JULY 2022

PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts

Sonatype discovered malicious PyPI packages that set up new Remote Desktop user accounts on your Windows computer and steal encrypted Telegram data files from your Telegram Desktop client.

A Python Cryptominer Targeting Windows, Linux, macOS

We identified a suspicious PyPI component called 'python-dateutils' that mines Monero (XMR) cryptocurrency on your system—whether Windows, Linux, or macOS, and steals AWS credentials.


JUNE 2022

npm Malware Exfiltrates Windows SAM, Amazon EC2 Credentials

Sonatype security researchers analyzed npm packages '@core-pas/cyb-core' and 'notreallyapackagetrustme' that attempt to exfiltrate Amazon EC2 credentials as well as sensitive files such as ⁄etc/passwd on Linux, and SAM/SYSTEM on Windows.

Malware Kills Windows Defender to Drop a Trojan

npm package 'flame-vali' claims to let developers "bypass any request proxys." But instead it contains heavily obfuscated payload that makes several attempts to disable Windows Defender before it drops a trojan.

PyPI Packages Exfiltrate AWS Keys, env vars, Secrets

Multiple PyPI packages and typosquats caught by us this month exfiltrate AWS keys, environment variables, and other secret credentials. Users of these packages should immediately rotate their credentials.


MAY 2022

PyPI Package ‘ctx’ and PHP Library ‘phpass’ Compromised to Steal Environment Variables

Immensely popular PyPI package 'ctx' compromised in a supply chain attack and altered to steal environment variables from its users. Additionally, PHP project 'phpass' suffered a repo-hijacking attack with the project tained with an identical malicious payload to steal AWS keys.

New ‘pymafka’ Malicious Package Drops Cobalt Strike on macOS, Windows, Linux

We caught a 'pymafka' typosquat that drops Cobalt Strike payload across all platforms and targets developers using PyKafka, a legitimate Apache Kafka client for Python.

Malicious ‘rustdecimal’ Crate Found in Rust Repository

A malicious typosquat 'rustdecimal' was uploaded to the Rust's crate[.]io registry. The typosquat, named after the legitimate 'rust_decimal' concealed malicious code using carefully crafted XOR obfuscation. Sonatype's research team has analyzed the malware and added the typosquat to our security catalog to keep our customers protected.

Ongoing Campaign Targets ‘colors’ Library

We have now repeatedly seen the developers using the popular 'colors' library being targeted. Typosquats like colors-2.0, colors-update, colorsss are all attempts to make you fall for a nefarious clone of 'colors' laden with info-stealing trojans.

Apache Kafka Project Clone Leverages Dependency Confusion

The 'karapace' PyPI package caught and analyzed by Sonatype has the exact same name as the Python package on GitHub which is "An open-source implementation of Kafka REST and Schema Registry."

‘Bloat free’ Data Exfiltration Technique

In one of the suspicious npm packages Sonatype caught, we saw the npm package did nothing other than download another empty npm package from an external server, which made it all seem quite mysterious. But turns out, this PoC test by a researcher is a mere distraction technique for obtaining your IP address and username in a sleek manner.


APRIL 2022

VMware VSphere Dependency Confusion Attempt Caught by Sonatype

Sonatype's automated malware detection bots flagged a suspicious dependency that has the same name as a real package used by VMware VSphere SDK developers. PyPI took down the package following our report and VMWare confirmed no impact to users and its products in a statement.

500+ Malicious npm Packages Caught by Sonatype

From a 'fix-crash' npm package that steals your Discord info to 400 more malicious packages, caught in addition to those from March, that target Azure developers.

PyPI Takes Down Malicious ‘Distutil’ Package Imitating ‘distutils'

The name 'Distutil' might ring a bell as 'distutils' is a now-deprecated Python library that provided support for building and installing additional modules into a Python installation. 'Distutil' on the other hand contains obfuscated code and is, what looks like a typosquatting attempt.

Rise in ‘Protestware’ During Russia-Ukraine Crisis

Protestware—cases where maintainers behind popular open source projects sabotage their own software to make a point continue to ramp up. In days following the 'node-ipc' sabotage, maintainers behind npm libraries like 'event-source-polyfill', 'es5-ext' and 'styled-components' began adding peaceful anti-war messages to their packages.


MARCH 2022

Careful Out There: Open Source Attacks Continue To Be On the Uptick

We have identified 130 typosquatting packages on npm and a dozen malicious packages on the PyPI repository, at a time when the world is focused on the Russia-Ukraine crisis and governments are urging organizations to step up cyber security efforts in response to related malicious cyber incidents.

New ‘colors-2.0’, ‘colors-3.0’ Packages Are Malicious

To a casual observer, colors-2.0, colors-3.0, and other few may appear to be "newer" versions of the 'colors' library when that's far from the case. These packages are malware and tactfully named in a manner that may confuse a novice developer into mistaking them for the latest versions of official 'colors.'

A Cryptic ‘Reverse Shell’ Found Lurking in PyPI Packages

Don't be fooled by these Python packages that Sonatype has discovered this week on the PyPI registry. From a mysterious reverse shell to an AIOHTTP typosquat making a comeback for the third time!

86 Malicious npm Packages Named After Popular NodeJS Functions

Sonatype's automated malware detection bots have caught 86 npm packages that are named after popular NodeJS and JavaScript functions.

The development follows last week's discovery of over 400 malicious npm packages targeting Azure, Uber, and Airbnb developers—all caught by our malware detection system, offered as a part of Nexus Firewall.



Malicious PyPi Packages Steal Your Roblox Security Cookies and Discord Tokens

Sonatype's automated malware detection systems have once again caught malicious PyPI packages that steal your Roblox security cookies and Discord tokens and drop suspicious EXEs on your system.

PyPI, NuGet, and npm Flooded With Roblox and Fortnite Spam

Sonatype spots threat actors polluting open source repos with bogus packages containing spam links. After tracking a series of massive malware and spam campaigns, we explain why threat actors increasingly target game developers and abuse gaming platforms for their malware-hosting needs.

Trojanized PyPI Package Imitates a Popular Python Server Library

Sonatype has once again stumbled upon a malicious Python package—this time imitating a massively popular middleware library. But instead, this package drops a Remote Access Trojan (RAT) that compromises your system completely.

jQuery npm Typosquat Has a Fishy Surprise

The popular jQuery project has a mysterious sidekick that has popped - 'jquery-lh'. While the npm package does install real jQuery code, behind the scenes it does something fishy and unexpected.



Massively Popular "Colors" and "Faker" npm Libraries Sabotaged

Thousands of open source projects including those produced by companies like Facebook (Meta) and Amazon broke after the developer behind "colors" and "faker" intentionally sabotaged his own packages in protest of "Fortune 500" companies exploiting open source.

PyPI Flooded With More Than 1,200 Dependency Confusion Packages

On January 23rd, a user flooded the PyPI registry with 1,275 dependency confusion packages, as spotted by Sonatype's automated malware detection systems.



Crypto App Faces $5 Million Ransom Demand Following Log4j Hack

One of the largest Vietnamese crypto apps, ONUS,  suffered a cyber-attack due to a vulnerable Log4j version. Threat actors first approached ONUS with a $5 million ransom demand but put up their 2 million customer records for sale online after the company refused to pay.

Log4j Zero-day Sets the Internet on Fire With 'Log4Shell' Attacks

A critical zero-day in immensely popular logging framework, log4j, is disclosed along with a public PoC. Shortly, attackers began mass exploitation of the flaw to push malware on vulnerable servers. Soon enough, CISA issues advisory and a dedicated webpage to urge organizations to remediate Log4Shell attacks.

Malicious PyPI Packages With 10,000 Downloads Taken Down

These packages dropped trojans on Windows machines and attempted to pry on Apache Mesos instances on Linux systems.



Popular Library "coa" Gets Hijacked in an Identical Style as "ua-parser-js"

Malicious versions of "coa" broke React pipelines around the world until they were removed. These versions contained similar credential-stealing trojan as the one seen in hacked "ua-parser-js" versions.

Hours After "coa" Hijack Is Discovered, "rc" Is Hijacked, Too

Yet another popular npm package, "rc" with 14 million weekly downloads is hijacked to spread malware, merely hours after "coa" hack is spotted. The malware and attack style is identical, drawing a link between the threat actor behind both incidents. NPM pins the cause of both attacks to project maintainer's account compromise.



Newly Found npm Malware Mines Cryptocurrency on Multiple Devices

Between October 12–15, new npm cryptomining malware was found targeting Linux, macOS, Windows devices, and imitating the legitimate "ua-parser-js" package.

Popular "ua-parser-js" Library Attacked

On October 22, a popular "ua-parser-js" library with over 7 million weekly downloads was itself hijacked. The same cryptominers were found.

Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise

Between October 20 and 26, Sonatype discovered typosquatting packages that mimic noblox.js, a popular Roblox game API wrapper. The Obfuscated malware found in npm includes extra unwanted functionalities including trojans, ransomware, and even a spooky surprise.



Cryptocurrency Heist Stemmed from a Malicious GitHub Commit

SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.


JULY 2021


A ransomware group discovered and exploited a zero-day vulnerability in a remote monitoring and management software platform used by dozens of managed security providers (MSP). Because these MSPs service thousands of downstream customers, the hackers were able to conduct a ransomware attack against 1,500 victims.


MAY 2021

Microsoft’s WinGet Flooded With Duplicate, Malformed Apps

The weekend after launching, Winget's software registry was flooded with pull requests for apps that were either duplicates or malformed. Some newly added duplicate packages were corrupted and ended up overwriting the existing packages, raising serious concerns about the integrity of the Winget ecosystem.


APRIL 2021


An attacker was able to gain access to a credential via a mistake in how Codecov were building Docker images. This credential then let them modify Codecov’s bash uploader script which was either used directly by customers or via Codecov’s other uploaders like their Github Action. The attacker used this modified script to steal credentials from the CI environments of customers using it.



Namespace Confusion

Three days after news broke of an ethical researcher hacking over 35 big tech firms in a novel supply-chain attack, more than 300 malicious copycat attacks were recorded. Within one month, more than 10,000 dependency confusion copycats had infiltrated npm and other ecosystems.




Threat actors gained access to SolarWinds dev infrastructure, and injected malicious code into Orion update binaries. 18,000 customers automatically pulled trojanized updates, planting backdoors into their systems and allowing bad actors to exploit private networks at will.


“CursedGrabber” Malware Discovered

Discovery of the malware, called xpc.js in the npm registry confirmed to be a part of the newly identified family of Discord malware named CursedGrabber. This malware targets Window hosts and steals Discord information, sending user information via webhook to the attacker.

Counterfeit Components Discovered in the npm Ecosystem

The series of components were identified as a successor to “fallguys” malware: discord.dll,, wsbd.js, and ac-addon. These components exfiltrate Discord and web browser’s “leveldb” files, as well as collect data such as IP address, “PC username,” “discordcanary” files, etc.

New npm Malware With Bladabindi Trojan Spotted

The malicious typosquatted packages jdb.js and db-json.js are found laced with a popular Remote Access Trojan (RAT), njRAT aka Bladabindi. Upon install, the malicious script engaged in data gathering and reconnaissance, ultimately launching patch.exe which is an njRAT written in .NET. This allows a remote attacker to log keystrokes, modify registry values, initiate system shutdown or restart at will, among other nefarious activities.



Brandjacking Malware Found in npm

The counterfeit package twilio-npm opens a backdoor on a user’s device, giving attackers control of the compromised machine and Remote Code Execution (RCE) capabilities.



Multiple npm Packages Vulnerable to Typosquatting Attacks

The electorn, loadyaml, lodashs, and loadyml packages have all been identified as vulnerable. Once installed, the packages collect and expose sensitive information, including IP address, geolocation, and device fingerprint, publishing this data to a public GitHub page.


MAY 2020

Octopus Scanner

26 open source packages were found to be compromised through malicious code injection. The malware was designed to enumerate and backdoor NetBeans projects through the NetBeans IDE.


APRIL 2020

Hundreds of Malware Gems found on RubyGems

400 gems were removed from the public repository for typosquatting and crypto mining malware. They include atlas-client (downloaded 2,100 times by developers).



Microsoft Spots Malicious JavaScript Package

The malicious npm package — 1337qq-js — exfiltrates sensitive information such as hard-coded passwords or API access tokens through install scripts and targets UNIX systems only.



Trojanized Python Libraries Removed

Two Python libraries, python3-dateutil and jeIlyfish, were caught stealing SSH and GPG keys from the projects or infected developers.


Computers Running Malicious npm Package Considered “Fully Compromised”

All versions of sj-tw-test-security are found to contain malicious code. The package downloads and runs a script that opens a reverse shell in the system, allowing a remote attacker to compromise the affected system.

Prototype Pollution Vulnerability Continues to Cause Problems

Taking advantage of a typosquatting exploit for lodash npm packages, all versions of the lodahs package contain malware designed to find and exfiltrate cryptocurrency wallets. Packages web3b and web3-eht were removed for the same exploit pattern.



Gem Packages Pulled From Repo

Three versions of the Gems package basic_authable, released in 2017, were yanked from the Gems repository due to their malicious nature.



Compromised Version of rest-client Maintainer Stole credentials, Installed Crypto Miners

A compromised version of rest-client, a popular HTTP and REST client for Ruby, was uploaded to RubyGems. Affected versions (1.6.10 to 1.6.13) were downloaded about 1,000 times. Similar vulnerabilities were found in Gem packages coming-soon and cron_parser.

Malicious Package Removed From npm Repository

The component bb-builder stole login information from the computers it was installed on, sending it to a remote server.


JULY 2019

Malicious Python Libraries Removed From PyPI

A security firm found three malicious Python libraries — libpeshnx, libpesh, and libari — uploaded on the official Python Package Index (PyPI) that contained a hidden backdoor which would activate when the libraries were installed on Linux systems.

RubyGems Component Found to Contain Malicious Code

This attack involves remote code execution in applications using or bundling the strong_password component. The hacker in this attack compromised the component and its dependencies — and locked out the gem maintainer


JUNE 2019

Cryptocurrency Attack on npm via Malicious Code Injection

An npm package contained code designed to steal cryptocurrency wallet seeds and other login instruction details specific to cryptocurrency apps. Tipped off by npm researchers, makers of the Agama cryptocurrency wallets shifted $13 million worth of currency before adversaries could steal it.

23 Malicious RubyGems Packages Discovered

Packages were pulled from the public repository because they contained code for cryptomining or cookie/password stealing.


MARCH 2019

Backdoored RubyGems Package Allows Remote Code Execution

A malicious version of the popular bootstrap-sass package, downloaded a total of 28 million times to date, and with 1.6K dependencies, is published to the RubyGems repository. 



Malicious Package Injected Into Popular npm Package

The injected code in the event-stream package targets the Copay application and was designed to harvest account details and private keys from accounts having a balance of more than 100 Bitcoin or 1,000 Bitcoin Cash.

JULY 2018

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker gains access to a developer’s npm account and injects malicious code into a popular JavaScript library called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit.

Homebrew Repository Compromised

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repos.

“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” researcher Eric Holmes explained.


JUNE 2018

Linux Distro Hacked on GitHub

Unknown individuals gain control of the Github Gentoo organization and modified the content of repositories as well as pages within — all code considered compromised.


MAY 2018

Backdoored npm Package Discovered

npm security team responds to reports the getcookies package, which contained malicious code that allowed remote users to execute arbitrary code on servers. The investigation also revealed that an existing package called mailparser began listing http-fetch-cookies as a dependency. Despite being deprecated, mailparser still receives about 64,000 weekly downloads.

Backdoored PyPI Package Discovered

Python module ssh-decorator backdoored to collect users' SSH credentials and sent the data to a remote server.



Deleted GitHub Account Resurrected by Unknown User

After a developer deleted their go-bindata GitHub account, someone immediately grabbed the ID — inheriting the karma instilled in that ID and calling into question packages and sources.

npm Credentials Intentionally Compromised

A malicious version of a package from a core contributor to the conventional-changelog ecosystem is published. The package was installed 28,000 times in 35 hours and executed a Monero crypto miner.



“I’m harvesting credit card numbers and passwords from your site. Here’s how.”

David Gilbertson writes a fictional tale on his blog about creating a malicious npm package.



PyPI Typosquat

10 malicious Python packages found with misspelled names intentionally chosen to trick users. Evidence of the fake packages being incorporated into software was noted multiple times between June and Sept 2017.

JULY 2017

Typosquatting Attack on npm

39 packages harvested undetected over two weeks, collecting credentials used to publish to the npm repository itself.

npm Credentials Published Online

Affects access to 14% of the npm repo (79K packages). As a result, npm reset the passwords and auth tokens of over 1,000 developers.

17 Backdoored Images Created on Docker Hub

Username docker123321 uploads backdoored container images used to install reverse shells and cryptocurrency miners on users' servers. Images not removed until June 2018. The same username is later accused of poisoning a Kubernetes honeypot (Jan. 2018) and equated to a crypto-mining botnet (May 2018).


Additional Resources


2021 State of the Software
Supply Chain Report

Sonatype’s report blends a broad set of data to reveal important findings about open source and its increasingly important role in digital innovation.


What is Nexus Intelligence?

See how artificial intelligence and machine learning that never stops learning, plus 65 world class professionals with 500+ years of experience lead to the best data in the industry. 

Scanner Icon

Are Your Applications Secure?

Are you at risk of a software supply chain hack? Try Nexus Vulnerability Scanner for FREE to find out if your software has any open source security vulnerabilities.

Ready to Try Sonatype?

Secure and automate your software supply chain.