Ossprey Security

📢 We're exhibiting at the International Cyber Expo to showcase our programmes, projects and insights to help organisations innovate and collaborate in today’s evolving security landscape!

Enquire to access the engaged #ICE2025 audience with your solutions: hubs.la/Q03vC9yy0

New Blog: Nx Package Compromise

Malware hidden in recent Nx releases created a repo called s1ngularity-repository in developers’ GitHub accounts exposing SSH keys, API tokens, and even wallet files.

Read the breakdown + what to do next: ossprey.com/blog/nx-pack...

#SupplyChainSecurity #npm #OSS

OSSPREY Published on August 24, 2025

New from Ossprey: PyPI is cracking down on domain resurrection attacks by invalidating expired maintainer domains.

1,800 accounts un-verified in just 2 months.
Time to check if your dependencies rely on revoked maintainers.

Full blog: ossprey.com/blog/pypi-domain-vigilance

#opensourcesecurity

🔐 New Case Study: How is Google securing the future of machine learning?

By partnering with #sigstore and the Open Source Security Foundation (OpenSSF), they’ve implemented model signing that makes AI systems more trustworthy by default.

openssf.org/blog/2025/07...

Wild times! 🚨 Cybercrime meets geopolitics—$1M stolen by North Korean hackers. This underscores the urgent need for robust security in crypto. Time to bolster defenses! 🔒💰 #CryptoSecurity #Innovation

Talks from the Purdue CERIAS 2025 Cybersecurity Symposium, which took place at the start of April, are available on YouTube

www.youtube.com/playlist?lis...

www.youtube.com/playlist?lis...

GitLab catches MongoDB Go module supply chain attack Learn how GitLab detected a supply chain attack targeting Go developers through fake MongoDB drivers that deploy persistent backdoor malware.

"Software supply chain attacks via malicious dependencies continue to be one of the most significant security threats to modern software development"

Kudos to our friends over at @gitlab.com for the solid detection and writeup!

about.gitlab.com/blog/gitlab-...

New Supply Chain Malware Attack Targets npm and PyPI Ecosystems A new supply chain malware attack is targeting the npm and PyPI ecosystems, putting millions of users at risk. This attack aims to compromise software packages distributed through these platforms, potentially affecting millions of users who rely on these ecosystems for their development projects. The technical details of the attack are not specified, but the impact is significant due to the widespread use of npm and PyPI in the developer community.

📌 New supply chain malware attack targets npm and PyPI ecosystems, impacting millions of users. #CyberSecurity #Malware https://tinyurl.com/28jfcmu5

Threat Actors Attacking Cryptocurrency and Blockchain Developers with Weaponized npm and PyPI Packages - Bytes Europe The cryptocurrency and blockchain development ecosystem is facing an unprecedented surge in sophisticated malware campaigns targeting the open source supply

Threat Actors Attacking Cryptocurrency and Blockchain Developers with Weaponized npm and PyPI Packages

https://www.byteseu.com/1103527/

The cryptocurrency and blockchain development ecosystem is facing an unprecedented surge in sophisticated malware campaigns targeting the open source supply …

Hackers Unleash Python-NPM Malware Mashup: A Comedy of Errors in Cybersecurity New research from Checkmarx Zero highlights a malicious software campaign targeting Python and NPM users on Windows and Linux. The campaign uses typosquatting techniques, mimicking legitimate software names to trick users into downloading harmful packages. This cross-ecosystem attack is a rare tactic, aiming to steal sensitive data and maintain long-term system access.

Hackers Unleash Python-NPM Malware Mashup: A Comedy of Errors in Cybersecurity

Checkmarx Zero uncovers a sneaky cross-ecosystem malware targeting Python and NPM users with typosquatting. Don't fall for malicious software tricks!
thenimblenerd.com?p=1047019

Malicious PyPi package hides RAT malware, targets Discord devs since 2022 A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.

A malicious Python package targeting Discord developers with remote access trojan (RAT) malware was spotted on the Python Package Index (PyPI) after more than three years.

OSSPREY Published on April 11, 2025

🚨 Supply Chain Security in Focus
See our latest blog post for a technical deep dive into what happened and what it means for engineers and defenders.

👉 ossprey.com/blog/tj-acti...

Let us know your thoughts or what your team is doing to reduce this kind of risk.

#ossprey #BirdsOfCyber

OSSPREY Published on April 15, 2025

In the era of AI assistants and vibe coding, a new threat emerges from the shadows. It has lurked, hidden and patient, waiting for the right moment.

Zombie Dependencies: they’re not after brains… they’re after your code. :🧟 💻

Read the full post here
👉 ossprey.com/blog/zombie-...

Band wagons are for hopping on, right? Especially if they're easy and fun!

So, everyone, meet Ozzy the Ossprey! He's a lean, mean malware-fighting machine that's here to stomp out open source malware!

Get this limited edition Ozzy the Ossprey in a package manager near you!

#BirdsOfCyber #Ossprey

👉 Read our blog here : ossprey.com/blog/ 👈

Massive thanks to Plexal, Department of Science, Technology and Innovation, our mentors, and the incredible UK cyber community for backing bold ideas.

🦅 Last month, OSSPREY graduated from both Cyber Runway!

What started as an idea in a bootcamp is now a full-flight cybersecurity startup with a beta product that hunts for malware in open source.

Over 60 sessions. 6 cities. Countless insights.

🔥 Top takeaways - Build fast, Validate faster.

🧵