Insights and Resources

Internally Hosted Dependencies: A Losing Battle

There are well-known issues and uncertainties that come with third-party dependencies such as stale libraries containing vulnerabilities, malicious authors, and poorly-vetted contributions. As a result, many organizations seek to alleviate risk by auditing source at import

Phylum Research Team Mar 23, 2021 3 min read

Subscribe to our research

Keep up with the latest software supply chain attacks

Repo Jacking: Hidden Danger in Broken Links

When contemplating the dangers of 3rd party libraries, there are a lot of things you can't control. While issues related to direct contribution...

Phylum Research Team Mar 17, 2021 4 min read

How to Understand and Defend Against SolarWinds-Type Attacks

In late 2020, one of the most devastating cyber attacks of the last decade was discovered: the SolarWinds breach. It was a notable event for...

Phylum Research Team Jan 9, 2021 6 min read

The State of the NPM Ecosystem

What does the upstream for major packages really look like? Over the past few years, the shape of the open source ecosystem landscape has shifted drastically, exploding both in the volume of published code, and also the number of dependencies that live upstream from a given library....

Phylum Research Team Aug 10, 2020 9 min read

Typosquatting and Other Attacks Against Open Source Dependencies

In November of 2018 a malicious Javascript package was identified and subsequently removed from the NPM ecosystem. A nefarious modification was introduced into this package,...

Phylum Research Team Jul 27, 2020 4 min read