Phylum Research Team - Phylum Research | Software Supply Chain Security

Python Crypto Library Updated to Steal Private Keys

Phylum Research

Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While

Phylum Research Team Nov 21, 2024 4 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases

82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools

70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies

60%

of Phylum’s findings are not found by
other software supply chain companies

Q3 2024 Evolution of Software Supply Chain Security Report

Phylum Research

Software supply chain security faces sophisticated security threats in the open-source ecosystem. Phylum analyzed millions of packages & files. Read more.

Phylum Research Team Oct 31, 2024 7 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases

82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools

70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies

60%

of Phylum’s findings are not found by
other software supply chain companies

Typosquat Campaign Targeting npm Developers

Phylum Research

Malware authors have published dozens of typosquat npm packages targeting users of the popular Puppeteer library.

Phylum Research Team Oct 31, 2024 18 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases

82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools

70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies

60%

of Phylum’s findings are not found by
other software supply chain companies

Trojanized Ethers Forks on npm Attempting to Steal Ethereum Private Keys

Phylum Research

Software supply chain attack targets open-source developers in npm via malicious packages that steal Ethereum private keys, gain SSH persistence.

Phylum Research Team Oct 18, 2024 9 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases

82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools

70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies

60%

of Phylum’s findings are not found by
other software supply chain companies

North Korea Still Attacking Developers via npm

Phylum Research

There's a renewed surge of attacks with obfuscated JavaScript and fake job campaigns to compromise developers and infiltrate companies. See Phylum research.

Phylum Research Team Aug 29, 2024 3 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases

82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools

70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies

60%

of Phylum’s findings are not found by
other software supply chain companies