Senior Software Engineer, responsible for integrations and author of the "phylum" Python package. Documentation and quality champion, runner, baseball and scout dad, pod-faster, and lover of outdoors.
Build requirements in Python source distributions allow attackers to execute arbitrary code in an isolated build environment that is automatically deleted after use.
Learn basic techniques attackers use to create malicious packages with trojan features found in attacks including typosquatting, starjacking, dependency confusion, and lockfile injection.
The primary vector for malicious code running in software developer environments (e.g., local system, CI/CD runners, production servers, etc.) is software dependencies. This is third-party code which often means open-source software, also known as