Back in November of 2023, we published a blog post highlighting the technical details of a sophisticated attack in npm attributed to North Korea. We subsequently published a follow-up in January of 2024 detailing the history
Open source makes up a considerable part of modern-day software projects. CVEs abound for open-source libraries and software packages; however, according to Kenna Security, only 2-5% of these CVEs are ever exploited in the wild. By
By now, news of the malicious backdoor in the XZ Utils compression library has been widely circulated. Though the potential damage appears to have been largely mitigated by the heroic work of a single engineer, aftershocks
Perverse incentives - a situation made worse by incentivizing the wrong behavior. Real-world examples abound, like the Cobra effect or the Great Hanoi Rat Massacre, and now it has come to open source software. Right now,
On 26 March 2024, Phylum’s automated risk detection platform flagged a suspicious publication to npm called vue2util. It bills itself as, and upon first glance appears to be, a simple collection of utility functions for
