The Phylum Research Team turns four this month, and regular readers of this blog have seen how our team has exposed a wide variety of open-source malware campaigns. We have tracked down authors and their packages
On Wednesday, February 21, Phylum’s automated risk detection platform alerted us to an anomalous publication of a PyPI package named django-log-tracker. This package was first published to PyPI in April 2022. The linked Github repository
Phylum continues to discover malware polluting open-source ecosystems. In this blog post, we take a deep-dive into an npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and
Phylum is the front-runner in software supply chain attack identification and protection. Across the current digital landscape - where open source is used in 97% of projects and comprises more than 70% of code bases -
⚠️This appears to be an ongoing campaign. Since publication, additional packages have been released tied to this threat actor. See the IOCs below.
On January 12, 2024 Phylum’s automated risk detection platform alerted us to