Secure Open Source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share Assessment Reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure Dev Toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete Approach to
Secure Software Supply Chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports helps you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
Malware leveraging public infrastructure on the rise
Dec 19, 2023
Malware authors occasionally upload their samples to services like Dropbox and Discord to host second stage malware. This time around, GitHub was being abused to issue commands to PyPI malware.
Protestware taps npm to call out wars
Nov 16, 2023
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed.
Malicious npm package delivering r77 rootkit
Oct 4, 2023
The letter “s” was all that separated a legitimate npm package from a malicious twin that delivered the open source r77 rootkit — this typosquatting package was downloaded more than 700 times.
VMConnect supply chain attack linked to North Korean threat actors
Aug 31, 2023
PyPI was leveraged to target developers in the first state-sponsored attributed software supply chain attack. The malicious packages mimicked popular open-source Python tools to trick developers into installing them.
Fake Roblox packages target npm with Luna Grabber
Aug 22, 2023
Attackers are increasingly adopting the use of open source malware for their attacks on developers. Similar to the 2021 campaign, fake Roblox packages mimicking a legitimate package noblox.js delivered the open source infostealer Luna Grabber.
Brainleeches - First crossover of phishing and supply chain attacks
Jul 6, 2023
“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.
Who checks the contents of compiled Python files?
Jun 1, 2023
In the ever-evolving pursuit of detection evasion, attackers start taking advantage of the fact that Python byte code (PYC) files can be directly executed.
RATs found hiding in the npm attic
May 18, 2023
Combination of suspicious code behaviors draws attention for deeper investigation. Open source packages that contain hard coded IP addresses in their code, while also executing commands and writing data to files, in our experience, usually turn out to be malicious.
Malicious npm package mimics Material Tailwind CSS tool
Sep 23, 2022
The malicious Material Tailwind npm package, has an automatic post-install script, which downloads a password protected zip file that contains a malicious executable: a custom-packed Windows executable capable of running PowerShell scripts.
IconBurst - Escalation of Attacker Tactics
Jul 5, 2022
IconBurst is the first typosquatting attack to trigger the payload only after its host software release package is deployed by unsuspecting users.
Malware Targeting Developer's Credentials
Jul 21, 2021
Typosquatting attacks prey on developers mistyping open source package names. The malicious payload usually steals credentials to pivot through developer toolchains.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.