Sonatype Nexus Repository warns "1 Malware Component Found"

Sonatype Nexus Repository
21

On our side, we have identified: Malware in fsevents · GHSA-xv2f-5jw4-v95m · GitHub Advisory Database · GitHub
Our malwares are all NPM/fsevents things.

Nexus gets its data from https://rhc.sonatype.com/rest/rhc/extras/maliciousContent/{NEXUS_ID} (can be finded on logs) => it allows to identify the registry.

Then, we have scraped malware databases of GitHub: GitHub Advisory Database · GitHub

And for each entry, we have used Nexus API to check if we have one: https://it-dev-fr-nexus.intramatch.eu:8080/service/rest/v1/search?repository=npm-registry&name={MALWARE_COMPONENT}.
=> ~ 50 were identified (among 18000).
Finally, we have checked group/version one by one to identify fsevents

4 Likes
22

Follow-up for this topic:

The recently released version 3.75.0 release introduces a dismiss button for the malware-banner. Thank you, Sonatype, for listening to our feedback! :slight_smile:

Details here:
https://help.sonatype.com/en/sonatype-nexus-repository-3-75-0-release-notes.html#dismiss-the-malware-risk-banner-during-your-session

Have a great day, everyone!
Chris

23

Looks like latest version (3.75.0) added ability to suppress the banner for the current session only: Sonatype Nexus Repository 3.75.0 Release Notes

24

Thanks @sebastien_picavet for this idea. I ended up with two js scripts to get the whole advisory database from GitHub (only 100 entries per request) and check against our nexus server.

fsevents < 1.2.11 was the malicous package. All other hits look like false positive (all created on github on Jun 20, 2022 and all with version >= 0 and no patched version)

25

Would you want to share the scripts you wrote for this? facing a similar issue.

26

Thanks @sebastien_picavet - worked out for us as well. For small findings it works. In a larger scale the firewall makes more sense. but thanks for the hint.

27

What we have observed today is that Sonatype Nexus Repository reported es5-ext@0.10.64 as malware, which appears to be a false positive — see this: New Protestware Found Lurking in Highly Popular NPM Package - Checkmarx.com. Nexus points out these findings in their documentation: Guide to Removing Malware. See:

Screenshot 2025-05-05 at 14.38.20
Screenshot 2025-05-05 at 14.38.201920×567 64.9 KB

Regarding the approach proposed by @sebastien_picavet, it is a good starting point. Unfortunately, it seems that Nexus Firewall also uses malware databases other than GitHub Advisory(Please note that es5-ext@0.10.64 has not GH advisory present). To be honest, relying on GitHub Advisory is problematic, as it is a vulnerability database — so, in any case, a lot of additional manual checking is needed. You can little improve the process by trying to narrow the search using CWE IDs or relevant keywords.

28

It appears Nexus 3.83 broke the feature flags discussed here - in fact, it won’t start with them set (and if they’re unset, the banner immediately appears again). Has anyone found another way to remove the banner, or has Sonatype successfully removed that option entirely and we are stuck with it if we update?

29

I believe we have a fix for the flag, I’m not sure which release it will be a part of.

We switched dependency injection from Guice to Spring in the release and Spring considers failure to inject a blocking error whereas Guice did not.

1 Like