Sonatype (Software Supply Chain Research)
sonatype · B · active
Software-supply-chain research lab; cited as corroborating primary for the 176-package npm dependency-confusion campaign (Sonatype-2026-003429) in the 2026-06-01 brief. Discovered via S3 WebSearch pivot from the Microsoft npm dependency-confusion post. Candidate — promote to active after 3 runs with content contribution. | 2026-06-20 full audit (v2.62): live=Y, drill=Y. FETCH → feed https://www.sonatype.com/blog/rss.xml 5 (title+date+summary+link) then webfetch the per-article sonatype.com/blog/<slug> URL for body. AVOID: WebFetch on the /blog listing renders but DROPS publication dates — use the RSS feed for dates. The blog also mixes product/commentary posts with the supply-chain research; filter to the npm/dependency-attack titles.. | 2026-07-05 admiralty audit: B — original supply-chain research from first-hand registry telemetry; stays active. Use RSS for dates (WebFetch on /blog drops them).
Cited in 3 entries
Citation cadence
Citation days per ISO week (2 weeks of coverage span, total 3).
- Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave2026-06-14
- "Atomic Arch" supply-chain attack hijacks 400+ AUR packages to drop a credential stealer and eBPF rootkit2026-06-13
- Two concurrent npm dependency-confusion campaigns target internal corporate namespaces2026-06-01