Perverse incentives - a situation made worse by incentivizing the wrong behavior. Real-world examples abound, like the Cobra effect or the Great Hanoi Rat Massacre, and now it has come to open source software. Right now,
On 26 March 2024, Phylum’s automated risk detection platform flagged a suspicious publication to npm called vue2util. It bills itself as, and upon first glance appears to be, a simple collection of utility functions for
On 26 March 2024, Phylum’s automated risk detection platform picked up yet another typosquat campaign targeting some attackers’ favorite targets in PyPI. As of writing, this attack still appears to be active and has come
The Phylum Research Team turns four this month, and regular readers of this blog have seen how our team has exposed a wide variety of open-source malware campaigns. We have tracked down authors and their packages
On Wednesday, February 21, Phylum’s automated risk detection platform alerted us to an anomalous publication of a PyPI package named django-log-tracker. This package was first published to PyPI in April 2022. The linked Github repository