Sonatype Nexus Repository warns "1 Malware Component Found"

On our side, we have identified: Malware in fsevents · GHSA-xv2f-5jw4-v95m · GitHub Advisory Database · GitHub
Our malwares are all NPM/fsevents things.

Nexus gets its data from https://rhc.sonatype.com/rest/rhc/extras/maliciousContent/{NEXUS_ID} (can be finded on logs) => it allows to identify the registry.

Then, we have scraped malware databases of GitHub: GitHub Advisory Database · GitHub

And for each entry, we have used Nexus API to check if we have one: https://it-dev-fr-nexus.intramatch.eu:8080/service/rest/v1/search?repository=npm-registry&name={MALWARE_COMPONENT}.
=> ~ 50 were identified (among 18000).
Finally, we have checked group/version one by one to identify fsevents

4 Likes

Follow-up for this topic:

The recently released version 3.75.0 release introduces a dismiss button for the malware-banner. Thank you, Sonatype, for listening to our feedback! :slight_smile:

Details here:
https://help.sonatype.com/en/sonatype-nexus-repository-3-75-0-release-notes.html#dismiss-the-malware-risk-banner-during-your-session

Have a great day, everyone!
Chris

Looks like latest version (3.75.0) added ability to suppress the banner for the current session only: Sonatype Nexus Repository 3.75.0 Release Notes

Thanks @sebastien_picavet for this idea. I ended up with two js scripts to get the whole advisory database from GitHub (only 100 entries per request) and check against our nexus server.

fsevents < 1.2.11 was the malicous package. All other hits look like false positive (all created on github on Jun 20, 2022 and all with version >= 0 and no patched version)

Would you want to share the scripts you wrote for this? facing a similar issue.

Thanks @sebastien_picavet - worked out for us as well. For small findings it works. In a larger scale the firewall makes more sense. but thanks for the hint.