Discord Contact
Phylum Research Team

Phylum Research Team

Hackers, Data Scientists, and Engineers responsible for the identification and takedown of software supply chain attackers.
Phylum Discovers Mischievous NPM Publications

Phylum Discovers Mischievous NPM Publications

Phylum Research
That’s right, we’re not talking about a malicious discovery today, but rather a mischievous one. Phylum’s automated risk detection platform alerted us to the publication of some obfuscated JavaScript packages to NPM on
Phylum Research Team 4 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases
82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools
70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies
60%

of Phylum’s findings are not found by
other software supply chain companies

Q1 2023 Evolution of Software Supply Chain Security Report

Q1 2023 Evolution of Software Supply Chain Security Report

Phylum Research
Software supply chains are unique among the broader supply chain family. Logistics-based supply chain risks can be contained or limited by industry or region. However, all software applications, everywhere, rely on the same open-source ecosystem, creating
Phylum Research Team 10 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases
82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools
70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies
60%

of Phylum’s findings are not found by
other software supply chain companies

Attackers Repurposing existing Python-based Malware for Distribution on NPM

Attackers Repurposing existing Python-based Malware for Distribution on NPM

Phylum Research
On April 16, 2023, Phylum's automated risk detection platform detected a surge of publications of a library called vibranced ⚠️ Check Package on NPM. In this article, we will examine the actions taken by the attackers and their attempts to distribute Python-based malware on NPM.
Phylum Research Team 8 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases
82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools
70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies
60%

of Phylum’s findings are not found by
other software supply chain companies

Phylum Adds Open Policy Agent (OPA) and Continuous Reporting

Phylum Adds Open Policy Agent (OPA) and Continuous Reporting

Phylum Insights and Resources
Customers now have more flexibility when creating and enforcing custom policies, and can show compliance with key software supply chain frameworks, regulations and guidelines. Phylum’s policy engine sits directly between the open-source ecosystem and the
Phylum Research Team 1 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases
82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools
70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies
60%

of Phylum’s findings are not found by
other software supply chain companies

Phylum Discovers NPM Package mathjs-min Contains Credential Stealer

Phylum Discovers NPM Package mathjs-min Contains Credential Stealer

Phylum Research
Phylum has recently discovered that a package called mathjs-min ⚠️ Check Package, which was uploaded to NPM by user rizzman on March 26, contains a Discord token grabber. This package is actually a modified version of the
Phylum Research Team 3 min read

Phylum Blocks Software Supply Chain Security Attacks

Phylum identifies malicious or risky open-source packages before they enter the software supply chain.

SCA or public databases
82%

of Phylum’s findings are not found by
SCA or reported to public databases

Other curation tools
70%

of Phylum’s findings are not found by
other curation tools

Other software supply chain companies
60%

of Phylum’s findings are not found by
other software supply chain companies