Spectra Assure Community
Find the best building blocks for your next app.
Secure open source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share assessment reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure dev toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete approach to
secure software supply chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports help you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
Self-replicating Shai-hulud worm spreads token-stealing malware on npm
Sep 16, 2025
RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware.
Ethereum smart contracts used to push malicious code on npm
Sep 3, 2025
Malicious npm packages abuse smart contracts to deliver a second stage. They were found to be part of the larger sophisticated campaign mostly present on GitHub.
Malicious pull request infects VS Code extension
Jul 8, 2025
Supply chain attack targeting a VSCode marketplace extension via a malicious pull request.
Python packages smuggle malicious payload in ML models
May 23, 2025
Malicious PyPI packages contain fully functional infostealer code inside PyTorch models that get loaded from package initialization scripts.
Backdoor implant on PyPI posing as debugging utility
May 15, 2025
Sophisticated, malicious package uses Global Socket Toolkit as a backdoor in an ongoing campaign likely linked to the Ukrainian hacktivist gang DumpForums.
Malicious Python packages target Solana developers
May 13, 2025
New Python package revives the name of a malicious module to steal source code and secrets from blockchain developers’ machines.
Atomic and Exodus crypto wallets targeted in malicious npm campaign
Apr 10, 2025
RL researchers discover another malicious npm package that patches legitimate, locally-installed crypto wallets. Malicious code is designed to overwrite the destination address of crypto transactions with the address of the attacker's wallet.
Malicious Python packages target popular Bitcoin library
Apr 3, 2025
RL automated ML detection system detected 2 malicious PyPI packages targeting users of popular bitcoinlib library with more than 1 million downloads.
Malware found on npm infecting local package with reverse shell
Mar 26, 2025
For the first time, RL researchers discover malicious npm packages infecting other legitimate locally-installed packages. One package that was a target is a popular crypto package ethers.
OSS in the crosshairs: Cryptomining hacks highlight key new threat
Dec 20, 2024
One of the latest high-profile attacks in the last few weeks connected with cryptourrency. This time, crypto miner XMRig is being served and used.
A new playground: Malicious campaigns proliferate from VSCode to npm
Dec 18, 2024
Downloaders found on VSCode Marketplace started appearing on npm. There are multiple similarities that connect those two campaigns.
Compromised ultralytics PyPI package delivers crypto coinminer
Dec 9, 2024
Popular AI library with 60 million downloads compromised by exploiting GitHub actions vulnerability. The compromised PyPI package delivers downloader code.
Malware found in Solana npm library raises the bar for crypto security
Dec 5, 2024
Two versions of @solana/web3.js open source library were infected with code to steal private keys, putting crypto platforms and wallets at risk.
Malicious PyPI crypto pay package aiocpa implants infostealer code
Nov 28, 2024
ReversingLabs’ machine learning-based threat hunting system detects malicious code in legitimate looking package engineered to compromise crypto currency wallets.
Differential analysis raises red flags over @lottiefiles/lottie-player
Nov 21, 2024
Three versions of the popular package were infected and used to spread malicious code stealing crypto wallet assets.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
Jul 11, 2024
Malicious NuGet packages found impersonating legit packages using homoglyphs and injecting malicious functionality using IL weaving.
Malicious package with wiper functionality detected in PyPI
Jun 5, 2024
Malicious packages published as part of irresponsible red team activity present a threat to incautious developers and generate noise for security researchers.
Malicious helpers: VS Code Extensions observed stealing sensitive information
Apr 3, 2024
New VSCode Marketplace extensions found stealing sensitive information using Discord webhook. One of the malicious extensions disguises itself as a “clipboard-helper”, but actually is stealing information from it.
Suspicious NuGet package grabs data from industrial systems
Mar 26, 2024
Suspicious package that demonstrates how tiny can the line between industrial espionage and unconventional feature implementation be.
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
Oct 31, 2023
These packages show how threat actors have moved from simple downloaders executing inside install scripts to a more refined approach that exploits NuGet’s MSBuild integrations feature to trigger execution of malicious functionality.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.