John Deere dependency confusion attempt flagged by Sonatype

This week Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug bounty hunters and malicious actors alike when targeting open source packages.

John Deere, or more specifically, Deere & Company, is a U.S.-based global producer of agricultural equipment including machines, tractors, and engines, as well as provider of financial services.

The discovery was made by Sonatype's automated malware detection …

dependency dependency confusion devzone featured john john deere malware prevention npm sonatype vulnerabilities