Spectra Assure Community
Find the best building blocks for your next app.
Secure open source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share assessment reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure dev toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete approach to
secure software supply chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports help you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
Graphalgo fake recruiter campaign returns
Apr 9, 2026
An attack targeting crypto developers has been respawned — with an LLC and new techniques to hide malware.
Fake install logs in npm packages load RAT
Mar 24, 2026
The final-stage malware in the Ghost campaign is a RAT designed to steal crypto wallets and sensitive data.
Inside the fake crypto developer recruitment hack
Feb 12, 2026
More-in-depth technical analysis of the packages involved in the "graphalgo" campaign.
Fake recruiter campaign targets crypto devs
Feb 11, 2026
A new branch of a fake job recruitment campaign, dubbed "graphalgo", is targeting developers with a RAT.
NuGet malware targets Nethereum tools
Dec 17, 2025
Malicious NuGet package targeting crypto wallets and OAuth tokens to steal funds.
VS Code extensions contain trojan-laden image
Dec 10, 2025
RL has discovered 19 malicious extensions on VSCode Marketplace - the majority containing a malicious file posing as a PNG.
New Sha1-hulud worm spreads on npm
Dec 9, 2025
RL automated detection system has detected the new wave of Shai-Hulud worm compromising popular npm packages with cloud token-stealing malware.
Bootstrap script exposes PyPI to domain takeover attacks
Nov 26, 2025
Bootstrap scripts for zc.buildout that install the package distribute fetch and execute an installation script from python-distribute[.]org — a legacy domain that is now available for sale.
How PowerShell Gallery simplifies attacks
Nov 4, 2025
PowerShell clobbering combined with autoloading and dynamic modules in the global scope allows modules to register commands that can take precedence over those registered by the system, resulting in command hijacking.
Self-replicating Shai-hulud worm spreads token-stealing malware on npm
Sep 16, 2025
RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware.
Ethereum smart contracts used to push malicious code on npm
Sep 3, 2025
Malicious npm packages abuse smart contracts to deliver a second stage. They were found to be part of the larger sophisticated campaign mostly present on GitHub.
Malicious pull request infects VS Code extension
Jul 8, 2025
Supply chain attack targeting a VSCode marketplace extension via a malicious pull request.
Python packages smuggle malicious payload in ML models
May 23, 2025
Malicious PyPI packages contain fully functional infostealer code inside PyTorch models that get loaded from package initialization scripts.
Backdoor implant on PyPI posing as debugging utility
May 15, 2025
Sophisticated, malicious package uses Global Socket Toolkit as a backdoor in an ongoing campaign likely linked to the Ukrainian hacktivist gang DumpForums.
Malicious Python packages target Solana developers
May 13, 2025
New Python package revives the name of a malicious module to steal source code and secrets from blockchain developers’ machines.
Malicious Python packages target popular Bitcoin library
Apr 3, 2025
RL automated ML detection system detected 2 malicious PyPI packages targeting users of popular bitcoinlib library with more than 1 million downloads.
Compromised ultralytics PyPI package delivers crypto coinminer
Dec 9, 2024
Popular AI library with 60 million downloads compromised by exploiting GitHub actions vulnerability. The compromised PyPI package delivers downloader code.
Malicious PyPI crypto pay package aiocpa implants infostealer code
Nov 28, 2024
ReversingLabs’ machine learning-based threat hunting system detects malicious code in legitimate looking package engineered to compromise crypto currency wallets.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
Jul 11, 2024
Malicious NuGet packages found impersonating legit packages using homoglyphs and injecting malicious functionality using IL weaving.
Suspicious NuGet package grabs data from industrial systems
Mar 26, 2024
Suspicious package that demonstrates how tiny can the line between industrial espionage and unconventional feature implementation be.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.