Spectra Assure Community
Find the best building blocks for your next app.
Secure Open Source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share Assessment Reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure Dev Toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete Approach to
Secure Software Supply Chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports helps you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
Compromised ultralytics PyPI package delivers crypto coinminer
Dec 9, 2024
Popular AI library with 60 million downloads compromised by exploiting GitHub actions vulnerability. The compromised PyPI package delivers downloader code.
Malware found in Solana npm library raises the bar for crypto security
Dec 5, 2024
Two versions of @solana/web3.js open source library were infected with code to steal private keys, putting crypto platforms and wallets at risk.
Malicious PyPI crypto pay package aiocpa implants infostealer code
Nov 28, 2024
ReversingLabs’ machine learning-based threat hunting system detects malicious code in legitimate looking package engineered to compromise crypto currency wallets.
Differential analysis raises red flags over @lottiefiles/lottie-player
Nov 21, 2024
Three versions of the popular package were infected and used to spread malicious code stealing crypto wallet assets.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
Jul 11, 2024
Malicious NuGet packages found impersonating legit packages using homoglyphs and injecting malicious functionality using IL weaving.
Malicious npm packages target AWS users
Jun 26, 2024
Dormant package turned malicious only after a few months - malicious actor was trying to pass his malicious package as a legitimate one.
Malicious package with wiper functionality detected in PyPI
Jun 5, 2024
Malicious packages published as part of irresponsible red team activity present a threat to incautious developers and generate noise for security researchers.
Suspicious NuGet package grabs data from industrial systems
Mar 26, 2024
Suspicious package that demonstrates how tiny can the line between industrial espionage and unconventional feature implementation be.
BIPClip: Malicious packages target crypto wallet recovery passwords
Mar 12, 2024
Malware authors try to fool developers looking to implement the Bitcoin Improvement Proposal 39, or BIP39, in order to steal mnemonic phrases used to recover lost or destroyed crypto wallets. The campaign lasted for more than a year with the first malicious package dating back to December, 2022.
Attackers leverage PyPI to sideload malicious DLLs
Feb 20, 2024
Two PyPI packages observed using DLL sideloading to execute code without attracting the attention of security monitoring tools. The attack was carried out by loading malicious code located in an unsigned (and therefore untrusted) DLL from the context of a signed PE executable.
GitHub leveraged to store stolen data
Jan 23, 2024
GitHub is increasingly being used to easily deploy malicious open source software. One novel way is using GitHub to store stolen sensitive data.
Malware leveraging public infrastructure on the rise
Dec 19, 2023
Malware authors occasionally upload their samples to services like Dropbox and Discord to host second stage malware. This time around, GitHub was being abused to issue commands to PyPI malware.
Protestware taps npm to call out wars
Nov 16, 2023
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed.
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
Oct 31, 2023
These packages show how threat actors have moved from simple downloaders executing inside install scripts to a more refined approach that exploits NuGet’s MSBuild integrations feature to trigger execution of malicious functionality.
Malicious npm package delivering r77 rootkit
Oct 4, 2023
The letter “s” was all that separated a legitimate npm package from a malicious twin that delivered the open source r77 rootkit — this typosquatting package was downloaded more than 700 times.
VMConnect supply chain attack linked to North Korean threat actors
Aug 31, 2023
PyPI was leveraged to target developers in the first state-sponsored attributed software supply chain attack. The malicious packages mimicked popular open-source Python tools to trick developers into installing them.
Fake Roblox packages target npm with Luna Grabber
Aug 22, 2023
Attackers are increasingly adopting the use of open source malware for their attacks on developers. Similar to the 2021 campaign, fake Roblox packages mimicking a legitimate package noblox.js delivered the open source infostealer Luna Grabber.
Brainleeches - First crossover of phishing and supply chain attacks
Jul 6, 2023
“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.
Who checks the contents of compiled Python files?
Jun 1, 2023
In the ever-evolving pursuit of detection evasion, attackers start taking advantage of the fact that Python byte code (PYC) files can be directly executed.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.