Henrik Plate

@JPD_1206 @CharlieEriksen @marius_benthin @cyb3rops Thank you for neutralizing the npm packages hosted on npm[.]jpartifacts[.]com — no installation hook and no data harvesting code anymore. But it also shows the risk of using URL dependencies, which place control outside the visibility and versioning guarantees of the registry.

@CharlieEriksen @marius_benthin @cyb3rops Wow! i didn't aware of this and this is part of security research there are no users harmed. Iam a researcher too!

Another wave of #NPM packages related to #PhantomRaven. New endpoint for remote dynamic dependencies: hxxp://package[.]storeartifacts[.]com/npm/ Packages: clean-order:8.0.0 typescript-urql:8.0.0 google-camelcase:8.0.0 add-react-displayname:0.0.6

@JPD_1206 @CharlieEriksen @marius_benthin @cyb3rops In other words: Why don’t you send a tiny beacon as a proof of installation, through code part of the package itself, instead of collecting way too much through a dynamic dependency that can change at any time.

@JPD_1206 @CharlieEriksen @marius_benthin @cyb3rops Also, the fact that a mutable URL dependency is used makes it possible to change the payload at any moment in time, which is not very reassuring.

@CharlieEriksen @marius_benthin @cyb3rops @JPD_1206 The name has been coined by Koi back in October 2025—not sure why they decided to name it this way.

@marius_benthin @cyb3rops Why are we giving these a name, though? This is just @JPD_1206 as far as I'm aware.

Taxonomy of Attacks on Open-Source Software Supply Chains: arxiv.org/abs/2204.04008 Risk Explorer for Software Supply Chains: sap.github.io/risk-explorer-…

Just today, an article on software supply chain security, written with Wolfram Fischer, got published in the German IT magazine iX. It picks up our works on a taxonomy of supply chain attacks, done together with @piergiorgioLad , @barais and Matias Sebastian Martinez...

Paderborn University @unipb & #SAPSecurityResearch @SAP partner on a new research project to detect and mitigate vulnerabilities in open-source software dependencies👇 uni-paderborn.de/en/news-item/9… @SerenaPonta, @HenrikPlate, W. Fischer, V. Lotz, S. Schott, J. Klauke, @profbodden

Join our colleague @HenrikPlate at the @OSPOAlliance OnRamp meeting on Friday, January 14, for his talk on managing Log4jshell & other open-source vulnerabilities with Eclipse Steady. @EclipseFdn #SAPOpenSource #opensource ➡️ Information & meeting link: sap.to/6016JChKr.

@todogroup provides plenty of useful resources and references regarding #OpenSource programs, e.g. the OSPO landscape landscape.todogroup.org, which now mentions Eclipse Steady among the SCA tools. @EclipseFdn

@OSPOAlliance released v1.0 of the "Open Source Good Governance Handbook" and highlights Eclipse Steady for #opensource vulnerability management: ospo.zone/ggi/activities… @EclipseFdn github.com/eclipse/steady

@joshbressers This work continues previous research done with the Universities of Bonn and Trento: rd.springer.com/chapter/10.100… and dl.acm.org/doi/abs/10.114…

@joshbressers The survey is done by SAP Security Research and the University of Rennes 1. Results will be published, and the interactive attack tree publicly available, together with associated safeguards. There are many use-cases of the attack tree, from education to scoping/guiding pentests.

Are developers aware of attack vectors targeting #opensource? Which safeguards to they know and use? You are a developer? Take 10 mins to participate in our survey and circulate it to your fellows! No prior knowledge required, only on desktops/laptops: survey.opensourceunchained.eu/developersurve…

🗓️ Mark your calendar for the #SAPOpenSource webinar "Open Source Supply Chains – How Attackers Poison the Well" with @HenrikPlate on May 18, 2021. #opensource #SAPSecurityResearch For information and registration: sap.to/6013HNziW

Check out the tools provided by @sparta_eu CAPE program to evaluate the consequences of vulnerabilities in open source libraries on the applications that use them! 🇪🇺📚🔐 🛠sparta.eu/news/2021-04-1…

We are conducting a small experiment on the use of #deceptive #HTTP parameters to improve #application #security. The questionnaire takes around 30 min, and we would really appreciate your participation! Check out the link for more details➡️ bit.ly/3sSx3Za

Discover the final part of our blog post series on #security and learn how Eclipse Steady and Project KB help you in the detection, assessment, and remediation of #opensource with known vulnerabilities. @HenrikPlate #SAPOpenSource #SAPSecurityResearch ➡️ sap.to/6013HaFQ3

In his new blog post @HenrikPlate explains how to detect, assess and mitigate #vulnerabilities in your #opensource dependencies. It is part of the @sapopensource series on @SAP open source tools supporting the secure dev process: 👇 blogs.sap.com/2021/03/30/per… #SAPSecurityResearch