Sonatype Nexus Repository warns "1 Malware Component Found"

Sonatype Nexus Repository
21

On our side, we have identified: Malware in fsevents · GHSA-xv2f-5jw4-v95m · GitHub Advisory Database · GitHub
Our malwares are all NPM/fsevents things.

Nexus gets its data from https://rhc.sonatype.com/rest/rhc/extras/maliciousContent/{NEXUS_ID} (can be finded on logs) => it allows to identify the registry.

Then, we have scraped malware databases of GitHub: GitHub Advisory Database · GitHub

And for each entry, we have used Nexus API to check if we have one: https://it-dev-fr-nexus.intramatch.eu:8080/service/rest/v1/search?repository=npm-registry&name={MALWARE_COMPONENT}.
=> ~ 50 were identified (among 18000).
Finally, we have checked group/version one by one to identify fsevents

4 Likes
22

Follow-up for this topic:

The recently released version 3.75.0 release introduces a dismiss button for the malware-banner. Thank you, Sonatype, for listening to our feedback! :slight_smile:

Details here:
https://help.sonatype.com/en/sonatype-nexus-repository-3-75-0-release-notes.html#dismiss-the-malware-risk-banner-during-your-session

Have a great day, everyone!
Chris

23

Looks like latest version (3.75.0) added ability to suppress the banner for the current session only: Sonatype Nexus Repository 3.75.0 Release Notes

24

Thanks @sebastien_picavet for this idea. I ended up with two js scripts to get the whole advisory database from GitHub (only 100 entries per request) and check against our nexus server.

fsevents < 1.2.11 was the malicous package. All other hits look like false positive (all created on github on Jun 20, 2022 and all with version >= 0 and no patched version)

25

Would you want to share the scripts you wrote for this? facing a similar issue.

26

Thanks @sebastien_picavet - worked out for us as well. For small findings it works. In a larger scale the firewall makes more sense. but thanks for the hint.

27

What we have observed today is that Sonatype Nexus Repository reported es5-ext@0.10.64 as malware, which appears to be a false positive — see this: New Protestware Found Lurking in Highly Popular NPM Package - Checkmarx.com. Nexus points out these findings in their documentation: Guide to Removing Malware. See:

Screenshot 2025-05-05 at 14.38.20
Screenshot 2025-05-05 at 14.38.201920×567 64.9 KB

Regarding the approach proposed by @sebastien_picavet, it is a good starting point. Unfortunately, it seems that Nexus Firewall also uses malware databases other than GitHub Advisory(Please note that es5-ext@0.10.64 has not GH advisory present). To be honest, relying on GitHub Advisory is problematic, as it is a vulnerability database — so, in any case, a lot of additional manual checking is needed. You can little improve the process by trying to narrow the search using CWE IDs or relevant keywords.