Blog | ReversingLabs | Karlo Zanki (2)

March 30, 2023

Red flags flew over software supply chain-compromised 3CX update

The VOIP software vendor missed signs that its client software had been tampered with before it pushed the update to customers.

March 27, 2023

VS Code hack shows how supply chain attacks can extend to other software development tools

The new Visual Studio Code IDE hack highlights the risk of spreading beyond the Extensions Marketplace. Here's how the threat can proliferate to npm.

December 19, 2022

SentinelSneak: Malicious PyPI module poses as security software development kit

A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.

December 1, 2022

W4SP continues to nest in PyPI: Same supply chain attack, different distribution method

Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.

September 23, 2022

Threat analysis: Malicious npm package mimics Material Tailwind CSS tool

ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis. (Updated with MachO executable information.)

August 29, 2022

New malicious packages in PyPI: What it means for securing open source repositories

After a recent discovery of malicious PyPI packages, questions remain about the security community’s ability to mitigate threats posed to open source repositories.

July 5, 2022

Update: IconBurst npm software supply chain attack grabs data from apps and websites

ReversingLabs researchers uncovered a widespread campaign to install malicious NPM modules that are harvesting sensitive data from forms embedded in mobile applications and websites.

June 2, 2022

Go below the surface on tampering: The trouble with software integrity validation

The growing number of software supply chain attacks is putting pressure on validation of software integrity

June 1, 2022

It’s not a secret if you publish it on PyPI

Python packages can contain sensitive information. Here's how software development teams can keep secrets secret.

June 1, 2022

Coinminer and npm: What you see is not always what you get

Source code analysis is always useful. It helps you detect threats early in the dev process. But it shouldn’t be the only tool in your security arsenal.

July 21, 2021

Groundhog day: NPM package caught stealing browser passwords

Today almost everyone knows that they need to protect their publicly exposed services and applications against the potential attacks from the outside

July 7, 2021

Third-party code comes with some baggage

Recognizing risks introduced by statically linked third-party libraries

Software Supply Chain Security

File Security

Security Operations

Products

Technology

Partners

Alliances

Resources

Company

Events

Press

Red flags flew over software supply chain-compromised 3CX update

VS Code hack shows how supply chain attacks can extend to other software development tools

SentinelSneak: Malicious PyPI module poses as security software development kit

W4SP continues to nest in PyPI: Same supply chain attack, different distribution method

Threat analysis: Malicious npm package mimics Material Tailwind CSS tool

New malicious packages in PyPI: What it means for securing open source repositories

Update: IconBurst npm software supply chain attack grabs data from apps and websites

Go below the surface on tampering: The trouble with software integrity validation

It’s not a secret if you publish it on PyPI

Coinminer and npm: What you see is not always what you get

Groundhog day: NPM package caught stealing browser passwords

Third-party code comes with some baggage

Topics

Special Reports

The State of Software Supply Chain Security 2024

Upcoming Webinars

ConversingLabs

Topics

Follow us

Subscribe

Special Reports