Phylum detects massive typosquat campaign targeting popular Python libraries on PyPI. Over 500 variations published. Protect your software supply chain from these threats.| Phylum Research | Software Supply Chain Security
Developing story: Open source repositories are polluted with thousands of dubious packages published by opportunistic actors exploiting a protocol. Read more...| Phylum Research | Software Supply Chain Security
Phylum detects malicious npm package vue2util. A hidden cryptojacking scheme exploits the ERC20 contract approval mechanism. Learn how to protect your software supply chain from these threats.| Phylum Research | Software Supply Chain Security
Phylum celebrates four years of fighting open-source software supply chain risk scanning packages in seven ecosystems: npm, PyPI, NuGet, crates.io, RubyGems, Golang, and Maven Central.| Phylum Research | Software Supply Chain Security
On Wednesday, February 21, Phylum’s automated risk detection platform alerted us to an anomalous publication of a PyPI package named django-log-tracker. This package was first published to PyPI in April 2022. The linked Github repository shows activity around the same time. It’s interesting to note, though, that today’| Phylum Research | Software Supply Chain Security
Phylum continues to discover malware polluting open-source ecosystems. In this blog post, we take a deep-dive into an npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer. Curiously, the attacker attempted to hide the malicious code in a test| Phylum Research | Software Supply Chain Security
⚠️This appears to be an ongoing campaign. Since publication, additional packages have been released tied to this threat actor. See the IOCs below. On January 12, 2024 Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question, oscompatible, contained a few strange| Phylum Research | Software Supply Chain Security
Back in November, we published a write-up about a collection of npm packages involved in a complex attack chain. These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files. This left the| Phylum Research | Software Supply Chain Security