This week Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug bounty hunters and malicious actors alike when targeting open source packages.
John Deere, or more specifically, Deere & Company, is a U.S.-based global producer of agricultural equipment including machines, tractors, and engines, as well as provider of financial services.
The discovery was made by Sonatype's automated malware detection bots, offered as a part of Nexus Firewall.
Article Link: John Deere dependency confusion attempt flagged by Sonatype