Spectra Assure Community
Find the best building blocks for your next app.
Secure open source
Building secure software requires the best of Open Source.
Spectra Assure Community allows you to review the key aspects of software safety before including your next dependency.
Share assessment reports
Customers demand software transparency.
Go beyond sharing a simple SBOM. Demonstrate your commitment to building secure software. Share assessments, raise concerns, and triage issues together with your users. Cut the noise and prioritize what matters.
Secure dev toolchains
Building secure software relies on trustworthy development toolchains.
Spectra Assure Community allows you to trust the compilers, linkers, IDE plugins and CI/CD pipelines that you use to build apps.
Complete approach to
secure software supply chains
Malicious attacks on public open source repositories are now as pervasive as developers' use of open source dependencies. Spectra Assure Community monitors open source packages to identify malware, code tampering and indicators of software supply chain attacks.
Quick guided tour
Learn how our reports help you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
NuGet malware targets Nethereum tools
Dec 17, 2025
Malicious NuGet package targeting crypto wallets and OAuth tokens to steal funds.
VS Code extensions contain trojan-laden image
Dec 10, 2025
RL has discovered 19 malicious extensions on VSCode Marketplace - the majority containing a malicious file posing as a PNG.
New Sha1-hulud worm spreads on npm
Dec 9, 2025
RL automated detection system has detected the new wave of Shai-Hulud worm compromising popular npm packages with cloud token-stealing malware.
Bootstrap script exposes PyPI to domain takeover attacks
Nov 26, 2025
Bootstrap scripts for zc.buildout that install the package distribute fetch and execute an installation script from python-distribute[.]org — a legacy domain that is now available for sale.
How PowerShell Gallery simplifies attacks
Nov 4, 2025
PowerShell clobbering combined with autoloading and dynamic modules in the global scope allows modules to register commands that can take precedence over those registered by the system, resulting in command hijacking.
Self-replicating Shai-hulud worm spreads token-stealing malware on npm
Sep 16, 2025
RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware.
Ethereum smart contracts used to push malicious code on npm
Sep 3, 2025
Malicious npm packages abuse smart contracts to deliver a second stage. They were found to be part of the larger sophisticated campaign mostly present on GitHub.
Malicious pull request infects VS Code extension
Jul 8, 2025
Supply chain attack targeting a VSCode marketplace extension via a malicious pull request.
Python packages smuggle malicious payload in ML models
May 23, 2025
Malicious PyPI packages contain fully functional infostealer code inside PyTorch models that get loaded from package initialization scripts.
Backdoor implant on PyPI posing as debugging utility
May 15, 2025
Sophisticated, malicious package uses Global Socket Toolkit as a backdoor in an ongoing campaign likely linked to the Ukrainian hacktivist gang DumpForums.
Malicious Python packages target Solana developers
May 13, 2025
New Python package revives the name of a malicious module to steal source code and secrets from blockchain developers’ machines.
Atomic and Exodus crypto wallets targeted in malicious npm campaign
Apr 10, 2025
RL researchers discover another malicious npm package that patches legitimate, locally-installed crypto wallets. Malicious code is designed to overwrite the destination address of crypto transactions with the address of the attacker's wallet.
Malicious Python packages target popular Bitcoin library
Apr 3, 2025
RL automated ML detection system detected 2 malicious PyPI packages targeting users of popular bitcoinlib library with more than 1 million downloads.
Malware found on npm infecting local package with reverse shell
Mar 26, 2025
For the first time, RL researchers discover malicious npm packages infecting other legitimate locally-installed packages. One package that was a target is a popular crypto package ethers.
OSS in the crosshairs: Cryptomining hacks highlight key new threat
Dec 20, 2024
One of the latest high-profile attacks in the last few weeks connected with cryptourrency. This time, crypto miner XMRig is being served and used.
A new playground: Malicious campaigns proliferate from VSCode to npm
Dec 18, 2024
Downloaders found on VSCode Marketplace started appearing on npm. There are multiple similarities that connect those two campaigns.
Compromised ultralytics PyPI package delivers crypto coinminer
Dec 9, 2024
Popular AI library with 60 million downloads compromised by exploiting GitHub actions vulnerability. The compromised PyPI package delivers downloader code.
Malicious PyPI crypto pay package aiocpa implants infostealer code
Nov 28, 2024
ReversingLabs’ machine learning-based threat hunting system detects malicious code in legitimate looking package engineered to compromise crypto currency wallets.
Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs
Jul 11, 2024
Malicious NuGet packages found impersonating legit packages using homoglyphs and injecting malicious functionality using IL weaving.
Suspicious NuGet package grabs data from industrial systems
Mar 26, 2024
Suspicious package that demonstrates how tiny can the line between industrial espionage and unconventional feature implementation be.
Mining for malicious Ruby gems
Apr 16, 2020
“Jim Carrey” and “Peter Gibbons” impersonators join in a barrage of typosquatting malware on RubyGems targeting software repository users. The malicious code was designed to redirect cryptocurrency transactions.