Discover the power of polyfills. Learn how these essential tools bridge the gap between modern JavaScript features and older browsers. See Phylum Research.| Phylum Research | Software Supply Chain Security
Uncover the hidden dangers of npm packages. Phylum Research reveals a malicious package known as "react-zutils" designed to steal cryptocurrency data.| Phylum Research | Software Supply Chain Security
On May 24, 2024, Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question is called glup-debugger-log and was published with two obfuscated files that worked together; one worked as a kind of initial dropper setting the stage for the malware campaign| Phylum
Open-source Ecosystem Malware Alert: Phylum Research exposes a novel steganography attack to deliver a malicious Go binary within a PyPI package.| Phylum Research | Software Supply Chain Security
North Korean threat actors return to npm with a new attack. Phylum detects malicious packages targeting macOS and Windows. Protect your software supply chain.| Phylum Research | Software Supply Chain Security
Developing story: Open source repositories are polluted with thousands of dubious packages published by opportunistic actors exploiting a protocol. Read more...| Phylum Research | Software Supply Chain Security
Phylum continues to discover malware polluting open-source ecosystems. In this blog post, we take a deep-dive into an npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer. Curiously, the attacker attempted to hide the malicious code in a test| Phylum Research | Software Supply Chain Security
Back in November, we published a write-up about a collection of npm packages involved in a complex attack chain. These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files. This left the| Phylum Research | Software Supply Chain Security
In June 2023, Phylum was the first to unearth a series of suspicious npm publications belonging to what appeared to be a highly targeted attack. The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload| Phylum Research | Software Supply Chain Security