Phylum’s Monthly Malware Report: April 2022 - Malware Magnified

Phylum’s Monthly Malware Report: April 2022 - Malware Magnified

In order to combat the massive uptick in software supply chain attacks, and proactively defend against software supply chain-borne threats from the open-source ecosystem, Phylum has been purpose-built to provide near-real-time, proactive analysis of packages as they are published. Given how vast these ecosystems are today, it is apparent that simply hiring security talent to attempt analysis is a losing battle. In the past 30 days, Phylum has processed a total of 647,928 packages across three ecosystems (NPM, PyPI, and RubyGems) - with an average of 20,933 packages per day, which amounts to the analysis of an average of 3,219,943 source files every 24 hours. This adds up to 99,818,244 total files in the last month.

Repository Statistics
Package Registry No. of Packages
NPM 555,115
PyPI 84,982
RubyGems 8,831
Total Package Analysis
Analysis, last 30 days Count
Total Packages Analyzed 647,928
Total Files Examined 99,818,244
Malicious Packages Identified 714
Breakout by File Type
Filetype Count
TypeScript 37,878,699
JavaScript 48,636,490
ECMAScript modules 1,531,637
Ruby 1,052,107
Python 8,146,348
TSX 257280
CommonJS modules 257,280
Bash 106,579
Java 175,499
Total 99,818,244

Phylum’s heuristics, analytics, and machine learning models then combed through these packages as they were published, resulting in the identification and conviction of 714 malicious packages in the last 30 days. Results in an average were returned within 10.9 minutes of publication.

Many of these packages were tied to existing campaigns (detailed below), along with some new (apparent) rogue actors.

Malware Spotlight

Based upon the 714 malicious packages identified in April, the Malware Spotlight needs a full write-up. Full spotlight and commentary to be released in the coming days!!

Packages of Interest
adal agrifood-farming add-position
addon-actions ai-anomaly-detector ai-document-translator
addon-links agrifood-farming-rest arm-advisor
arm-analysisservices ai-document-translator-rest antani-ui
arm-apimanagement any-vega arm-appconfiguration
api-extractor applicationinsights-analytics applicationinsights-analytics-js
arm-appinsights arm-appplatform arm-appservice
applicationinsights-common applicationinsights-dependencies applicationinsights-dependencies-js
arm-attestation arm-authorization arm-avs
applicationinsights-properties applicationinsights-properties-js applicationinsights-react-js
applicationinsights-shims applicationinsights-web arm-kusto
arm-lock arm-policyinsights arm-securityinsights
arm-azurestack arm-azurestackhci arm-batch
arm-billing arm-botservice arm-cdn
asset_cli_tool autocomplete-core autocomplete-preset-algolia
autocomplete-shared autorest-schemas autorest.gotest
autorest.testmodeler autorest.testserver azure-agrifood
arm-changeanalysis arm-cognitiveservices arm-commerce
azure-agrifood-farming-samples-js azure-agrifood-farming-samples-ts azure-ai
azure-ai-anomaly-detector-samples-js azure-ai-anomaly-detector-samples-ts arm-commitmentplans
arm-communication arm-compute arm-confluent
azure-ai-form-recognizer-samples-js azure-ai-form-recognizer-samples-ts arm-consumption
azure-ai-text-analytics-samples-ts azure-app-configuration-samples-js azure-app-configuration-samples-ts
azure-communication-identity-samples-js azure-communication-identity-samples-ts azure-communication-phone-numbers-samples-ts
azure-communication-short-codes-samples-js azure-communication-short-codes-samples-ts azure-communication-sms-samples-js
azure-communication-sms-samples-ts azure-confidential-ledger-samples-js azure-core-rest-pipeline-samples-js
arm-containerinstance arm-containerregistry arm-containerservice
arm-cosmosdb arm-customerinsights arm-databox
azure-data azure-digital azure-digital-twins-core-samples-ts
azure-event-hubs-express azure-event-hubs-samples-browser azure-event-hubs-samples-js
azure-event-processor azure-event-processor-host-samples-bowser azure-event-processor-host-samples-express
azure-event-processor-host-samples-js azure-eventgrid-samples-ts azure-identity-samples-js
azure-iot azure-iot-modelsrepository-samples-ts azure-iot-ux-baseline
arm-databoxedge arm-databricks arm-datacatalog
azure-iot-ux-fluent-controls azure-js-dev-tools azure-keyvault-admin-samples-js
azure-keyvault-certificates-samples-ts azure-keyvault-keys-samples-js azure-keyvault-keys-samples-ts
arm-datadog arm-datafactory arm-datalake-analytics
arm-datamigration arm-deploymentmanager arm-desktopvirtualization
arm-deviceprovisioningservices arm-devspaces arm-devtestlabs
azure-mixed-reality-authentication-samples-ts azure-mock-hub-samples-js azure-mock-hub-samples-ts
azure-monitor-opentelemetry azure-monitor-opentelemetry-exporter-samples-ts azure-monitor-query-samples-ts
azure-purview-account-samples-js azure-purview-account-samples-ts azure-purview-administration-samples-js
azure-purview-scanning-samples-js azure-purview-scanning-samples-ts azure-quantum-jobs-samples-js
azure-schema azure-schema-registry-avro-samples-ts azure-schema-registry-samples-js
azure-schema-registry-samples-ts azure-sdk-for-java-codegen azure-search-documents-samples-js
azure-search-documents-samples-ts azure-service-bus-samples-js azure-service-bus-samples-ts
azure-storage-blob-changefeed-samples-js azure-storage-blob-changefeed-samples-ts azure-storage-blob-samples-js
azure-storage-blob-samples-ts azure-storage-file-share-samples-js azure-synapse
azure-synapse-access-control-samples-ts azure-template-samples-ts azure-video-analyzer-edge-samples-js
azure-video-analyzer-edge-samples-ts azure-web azure-web-pubsub-express-samples-ts
azure-web-pubsub-samples-js babel-plugin-replace-jsx-attribute-value arm-digitaltwins
arm-dns arm-dnsresolver arm-domainservices
arm-eventgrid arm-eventhub arm-extendedlocation
babel-plugin-svg-dynamic-title banana-module batch-execute
bfx-hf-signals bfx-hf-strategy-exec bottom-tabs
arm-features arm-frontdoor arm-hanaonazure
arm-hdinsight arm-healthbot arm-healthcareapis
build-ng-packagr build-optimizer cache-browser-local-storage
cache-common channel-postmessage check-treeshaking
ci-detect arm-hybridcompute arm-hybridkubernetes
arm-imagebuilder arm-iotcentral arm-iothub
ci-detect cli-debugger-ui cli-hermes
cli-microsoft365 cli-platform-android cli-platform-ios
cli-server-api client-account client-recommendation
arm-keyvault arm-kubernetesconfiguration arm-labservices
arm-links arm-loadtestservice arm-locks
arm-logic arm-machinelearningcompute arm-machinelearningexperimentation
collect-uncommitted collect-updates communication-signaling
compat-data compiler-cli compiler_gym-frontend
confidential-ledger-rest config-array context-base
core-client-lro core-client-paging core-client-rest
cosmos-language-service create-cache-key-function create-free-dazaar-core
cspell-types dashboard-isolated-widget-accessor date-time-utilities
dazaar-card-publisher dazaar-cli dazaar-guild
dazaar-payment describe-ref directory-listing
disparity-colors eslint-parser eslintsprinker
exchange_clients filter-options filter-packages
first-with-side-effect floating-point-hex-parser flow-dev-tools
fluent-theme fontawesome-common-types foundation-legacy
fourth-with-side-effect free-solid-svg-icons gdn-usedotnet
get-npm-exec-opts global-options gym-frontend
habitat-sim heft-config-file hello2world2here
helper-annotate helper-api-error helper-builder-binary-assignment-operator-visitor
helper-builder-react-jsx helper-builder-react-jsx-experimental helper-call-delegate
helper-code-frame helper-compilation-targets helper-create-class-features-plugin
helper-define-polyfill-provider helper-environment-visitor helper-explode-assignable-expression
helper-fsm helper-function-name helper-member-expression-to-functions
helper-module-context helper-module-transforms helper-numbers
helper-optimise-call-expression helper-regex helper-remap-async-to-generator
helper-replace-supers helper-simple-access helper-skip-transparent-expression-wrappers
helper-split-export-declaration helper-validator-identifier helper-wasm-bytecode
helper-wrap-function hypercore-logs-benchmark hyperion-history
identity-browser identity-browser-manual installed-package-contents
iot-cardboard-js iot-device-update-rest is-prop-valid
java.android java.fluent java.fluentnamer
java.preprocessor jest-check js-sdk-release-tools
jsdoccomment json-ref-readers jupyter-widgets
karma-coverage-coffee-example kubernetestest language-service
language-service-next lib-js-util-currencies lib-js-util-marshal
lib-js-util-math lib-js-util-promise lib-js-util-shard
lib-util-err-js link-bins load-nyc-config
make-typed-request map-sources map-workspaces
megarepo mephisto-review-test metavuln-calculator
metro-whatever minirts msal-browser
msal-common msal-node-extensions myhashringimplementation
myths name-from-folder node-core-library
node16 nodehound openapi-tools-common
otplease package-bins package-deps-hash
pkg_with_main pkg_with_nested_main pkg_with_relative_main
platform-browser-dynamic platform-express plugin-bugfix-v8-spread-parameters-in-optional-chaining
plugin-commonjs plugin-enterprise-rest plugin-inject
plugin-json plugin-paginate-rest plugin-proposal-async-generator-functions
plugin-proposal-class-properties plugin-proposal-dynamic-import plugin-proposal-export-default-from
plugin-proposal-export-namespace-from plugin-proposal-json-strings plugin-proposal-logical-assignment-operators
plugin-proposal-nullish-coalescing-operator plugin-proposal-numeric-separator plugin-proposal-optional-catch-binding
plugin-proposal-optional-chaining plugin-proposal-private-property-in-object plugin-proposal-unicode-property-regex
plugin-svgo plugin-syntax-async-generators plugin-syntax-bigint
plugin-syntax-decorators plugin-syntax-export-namespace-from plugin-syntax-flow
plugin-syntax-import-meta plugin-syntax-jsx plugin-syntax-logical-assignment-operators
plugin-syntax-object-rest-spread plugin-syntax-private-property-in-object plugin-syntax-typescript
plugin-transform-block-scoped-functions plugin-transform-block-scoping plugin-transform-classes
plugin-transform-computed-properties plugin-transform-exponentiation-operator plugin-transform-for-of
plugin-transform-function-name plugin-transform-literals plugin-transform-member-expression-literals
plugin-transform-modules-amd plugin-transform-modules-systemjs plugin-transform-modules-umd
plugin-transform-named-capturing-groups-regex plugin-transform-new-target plugin-transform-object-super
plugin-transform-property-literals plugin-transform-react-display-name plugin-transform-react-jsx
plugin-transform-react-jsx-development plugin-transform-react-jsx-self plugin-transform-react-pure-annotations
plugin-transform-reserved-words plugin-transform-runtime plugin-transform-shorthand-properties
plugin-transform-spread plugin-transform-sticky-regex plugin-transform-typeof-symbol
plugin-transform-typescript plugin-transform-unicode-escapes plugin-transform-unicode-regex
pluginutils presentational-components preset-flow
preset-modules preset-typescript pulse-till-done
purview-administration-rest purview-catalog-rest purview-scanning-rest
query-graph react-vis-master read-modules-dir
read-project-manifest regression-test relay-compiler-playground-tests
remapping request-error requester-browser-xhr
requester-node-http rest-api-specs-scripts rig-package
rimraf-dir ringpop-ui run-lifecycle
run-topologically rush-amazon-s3-build-cache-plugin rush-azure-storage-build-cache-plugin
rush-lib rush-sdk samples-web-workers-js
scope-manager sdk-trace-base sdk-trace-node
semantic-conventions settingregistry sinonjs__fake-timers
spectral-core spectral-formats spectral-parsers
spectral-ref-resolver spectral-ruleset-migrator spectral-runtime
static-web-apps-cli storage-file stream-collator
stress-test-track-2 swagger-validation-common symlink-binary
synapse-access-control-1 synapse-access-control-rest test-credential
test-recorder-new test-sequencer testing-library__jest-dom
textvqa tool-cache transform-vega
ts-command-line ufx-ui ungap__url-search-params
util-hex-encoding wasm-edit wast-printer
write-log-file write-project-manifest arm-machinelearningservices
arm-managedapplications arm-managementgroups arm-managementpartner
arm-maps arm-mariadb arm-marketplaceordering arm-mediaservices
arm-migrate arm-mixedreality arm-mobilenetwork
arm-monitor arm-msi arm-mysql
arm-netapp arm-network arm-notificationhubs
arm-oep arm-operationalinsights arm-operations
arm-orbital arm-peering arm-policy
arm-portal arm-postgresql arm-postgresql-flexible
arm-powerbidedicated arm-powerbiembedded arm-privatedns
arm-purview arm-quota arm-recoveryservices
arm-recoveryservices-siterecovery arm-recoveryservicesbackup arm-rediscache
arm-redisenterprisecache arm-relay arm-reservations
arm-resourcegraph arm-resourcehealth arm-resourcemover
arm-resources arm-resources-subscriptions arm-search
arm-security arm-serialconsole arm-servicebus
arm-servicefabric arm-servicefabricmesh arm-servicemap
arm-signalr arm-sql arm-sqlvirtualmachine
arm-storage arm-storagecache arm-storageimportexport
arm-storagesync arm-storsimple1200series arm-storsimple8000series
arm-streamanalytics arm-subscriptions arm-support
arm-synapse arm-templatespecs arm-timeseriesinsights
arm-trafficmanager arm-videoanalyzer arm-visualstudio
arm-vmwarecloudsimple arm-webpubsub arm-webservices
arm-workspaces cadl-autorest cadl-azure-core
cadl-azure-resource-manager cadl-playground cadl-providerhub
cadl-providerhub-controller cadl-providerhub-templates-contoso cadl-samples
codemodel communication-chat communication-common
communication-identity communication-network-traversal communication-phone-numbers
communication-short-codes communication-sms confidential-ledger
core-amqp core-asynciterator-polyfill core-auth
core-client-1 core-http core-http-compat
core-lro core-paging core-rest-pipeline
core-tracing core-xml deduplication
digital-twins-core dll-docs dtdl-parser
eslint-config-cadl eslint-plugin-azure-sdk eventhubs-checkpointstore-blob
eventhubs-checkpointstore-table extension-base helloworld123ccwq
identity-cache-persistence identity-vscode iot-device-update
iot-device-update-1 iot-modelsrepository keyvault-admin
mixed-reality-authentication mixed-reality-remote-rendering modelerfour
monitor-opentelemetry-exporter oai2-to-oai3 openapi3
opentelemetry-instrumentation-azure-sdk pnpmfile.js prettier-plugin-cadl
purview-administration purview-catalog purview-scanning
quantum-jobs storage-blob-changefeed storage-file-datalake
storage-queue synapse-access-control synapse-artifacts
synapse-managed-private-endpoints synapse-monitoring synapse-spark
test-public-packages test-utils-perf testing-recorder-new
testmodeler video-analyzer-edge videojs-wistia
web-pubsub web-pubsub-express

 

uber-blue-20 airbnb-logo-white uber-white-10
packmet uber-origin uber-source
uber-debug airbnb-i18n pod-smartphone-api
uber-client-name uber-device-os uber-client-version
uber-black uber-developers uber-black-60
useoctocli bancolombia-design-system bancolombia-design-system
bancolombia-design-system uber-chevron-title myhood
uber-eats-food-delivery uber-device-language package-inherit
uber-blue-10 uber-uuid uber-eats
uber-poet airbnb-for-work-sections epic-ue-themes-la
uber-blue-60 uber-research uber-us-insurance
uber-offerings uber-white-20 uber-web
uber-black-80 uber-searchfield-container uber-region-id
uber-xhr uber-one-genie pod-smartphone-api
airbnb-for-work mailjet-react-components uber-listen
uber-fonts logic-lib-emp airbnb-hyperloop
uber-mobile uber-screenflow-client-version uber-black-40
jetpack-config uber-device uber-set-cookie-v2
uber-go uber-blue-120 uber-token
uber-logo uber-xps uber-device-epoch
uber-device-location-altitude uber-drive uber-ride
airbnb-jitney-schemas uber-for-business-product-recap-2021 uber-partner-widget-localiza
uber-white-120 com.unity.ai.navigation.components uber-logo-desc
airbnb-bootstrap-data uber-icons uber-eats-app
uber-logo-title nautilus-commerce uber-electric-scooter
uber-white uber-one-logged-out uber-freight-2022-market-outlook
jetpack-config jetpack-config testeaaa
uber-device-ids uber-common uber-demand-channel
qjwt airbnb-org-sections uber-et-uber-eats
uber-device-id qjwt uber-white-80
uber-on-way-to-hospital uber-app-variant uber-blue
uber-blue-80 uber-one uber-push-service
airbnb-logo-red uber-device-model uber-freight-customer-story
jitsi-meet-redux uber-client-session uber-com
uber-black-90 bsd-global-nav-design-ui notepadplusplus-keybindings
uber-white-60 uber-blue-40 uber-white-40
push-package-action airbnb-dls-web qjwt
uber-chevron-desc uber-open-summit-sofia uber-freight-h2-2021-market-insights
uber-black-95

 

 

Why Phylum & What’s Coming Next…

Phylum’s capabilities extend beyond pure source code analysis. We have constructed authorship models that, in combination with other metrics, allow us to identify odd behaviors around commits and activity. We analyze maintainer information for a package, allowing us to spot packages that have recently changed ownership that may be at risk for the introduction of malware (as was the case with even-stream in 2018).

As we look forward, we are imminently preparing the release of C#/Nuget and Java/Maven support. In addition to this, we are pushing hard to increase both the sophistication and number of our heuristics and analytics.

Phylum, at its core, is a risk detection system focusing on the software supply chain. Unlike other SCA products that focus nearly exclusively on well-known issues, we are looking for the unknown unknowns - the subtle modifications to a software package that will surreptitiously exfiltrate keys to your critical infrastructure. We do this at the scale of open source, tackling the problem in an automated fashion, to make software supply chain security proactive instead of merely reactive.

To learn more about Phylum’s automated malware identification capability and how we support secure and efficient use of open-source software please contact us for a conversation.

Phylum Research Team

Phylum Research Team

Hackers, Data Scientists, and Engineers responsible for the identification and takedown of software supply chain attackers.