Phylum

📢 Breaking news: We’re beyond excited to announce that our malicious package analysis, detection, and mitigation technology has been acquired by @Veracode! Together, we’ll take software supply chain security to the next level. Read more below: veracode.com/press-release/…

Phylum Exclusive Research Report by #CEO, Aaron Bray ⚔️ 2025 Software Supply Chain Security Trends & Predictions: AI, Shadow Application Development and Nation-State Attacks - blog.phylum.io/2025-trends-pr… #phylumresearch #softwaresupplychainsecurity #2025trends #CEOinsights

"In Q3 2024, Phylum identified 465,897 malicious packages in the software supply chain open source ecosystem." Read the latest Evolution of Software Supply Chain Security Report via the Phylum Research Team - blog.phylum.io/q3-2024-evolut… [7 min read] #DevOps #CISO #opensourceecosystem

Q3 2024 Evolution of Software Supply Chain Security Report via the Phylum Research Team - blog.phylum.io/q3-2024-evolut… #malciouspackages #npm #opensourceecosystem #DevOps #CISO #AppSec #acceptableuse #softwaresupplychainsecurity #CybersecurityAwarenessMonth #CyberSecurity

🎃 Trick or treat? #Malware authors opted for the former with a series of malicious #npm packages targeting #Puppeteer users in an ongoing #typosquat campaign! blog.phylum.io/supply-chain-s… #nodejs #npm #ethereum #opensource #javascript #cryptocurrency #cybersecurity #infosec

Subscribe to Phylum Research ⚔️ New Report Coming Soon 🔔 blog.phylum.io/subscribe-to-t… #opensource #techcommunity #opensourceecosystem #softwaresupplychain #devops #CISO #AppSec #acceptableuse #techcommunity #developercommunity

Have you ever had your private #crypto keys stolen? #Malware authors have published forks of the popular Ethers library that exfiltrate private keys & give attackers #SSH access to infected machines. blog.phylum.io/trojanized-eth… #npm #opensource #security #ethereum #cryptocurrency

@__grunet @SocketSecurity @nuget We’ve got support for dotnet and Nuget already, and have written a few research blogs on findings in those ecosystems!

What is the analog of @SocketSecurity and @Phylum_IO for the #dotnet and @nuget space?

Phylum For Artifact Repositories and Package Managers blog.phylum.io/phylum-for-art… #opensource #techcommunity #opensourceecosystem #softwaresupplychain #DevOps #CISO #AppSec #acceptableuse #machinelearning #techcommunity #developercommunity

@Phylum_IO I want to translate this article into Chinese, can you authorize me?😀

🇰🇵☠️ Multiple #NorthKorean state actors continue running #malware campaigns against #npm #developers, stealing credentials and financial assets. blog.phylum.io/north-korea-st… #dprk #moonsleet #contagiousinterview #CyberSecurity #javascript #opensource

@t3dotgg We loved the video ♥️

npm got spammed with a terrible crypto incentive program. Never seen anything like it. Thankful Max owned it but it's still bad enough that I wanted to publish the video

@utollwi @ElisityInc @fastly @NetSPI @Bugcrowd @cyera_io @LastPass @InvictiSecurity @Mend_io @penterasec @Cymulateltd @jfrog @contrastsec @sonatype @torq_io @EFF @traceableai @ZeroFox 🐦🕶️

Who has the best sticker at #BHUSA 2024? @elisityinc @fastly @NetSPI @Bugcrowd @cyera_io @LastPass @InvictiSecurity @Mend_io @penterasec @Cymulateltd @jfrog @contrastsec @Phylum_IO @sonatype @torq_io @EFF @traceableai @ZeroFox

@ianbishop2021 Thanks for the heads up! Reviewed on our side, and it seems to be resolving properly! We'll keep an eye on it 👍

@Phylum_IO - Looks like someone nuked the DNS entry for blog.phylum.io

In the last 6 months, roughly 70% of new #npm packages were #spam. What does this mean for supply chain security? At Black Hat USA? Find us in Startup City booth SC203! #npmjs #node #javascript #typescript #infosec #opensource blog.phylum.io/the-great-npm-…

Code sneaked into fake AWS downloaded hundreds of times backdoored dev devices arstechnica.com/?p=2037194

We've uncovered #malware hidden in a Microsoft logo JPG, shipping as fake #AWS packages on #npm! 😲 blog.phylum.io/fake-aws-packa… #steganography #opensource #cybersecurity #npmjs #javascript #typescript #SoftwareDevelopment #informationsecurity

Advanced threat actors have not let up on their attacks against the software supply chain. We catalog recent attacks from North Korean state actors in our new blog post! #npm #javascript #typescript #malware #cybersecurity #npmjs blog.phylum.io/new-tactics-fr…

@nh0x01 Technically speaking, jsdelivr will auto-convert any Github link into a resource it serves. So, as long as it's on GH, any CDN resources should be valid. With that said, we've tried to find instances of resources in our write-up that are being used, and they seem to be gone!

@Phylum_IO Truly complicated. Wondering how many websites are using the infected scripts. Are these scripts still hosted in CDNs, or they're removed? Sharing the CDN links could be helpful to identify infection in our own websites. Please share if they're still there

Supply chain attacks come in all shapes and sizes. Today Phylum Research discusses its discovery of malicious #jQuery files in #npm. blog.phylum.io/persistent-npm… #javascript #opensource #sbom #js #npmjs #node #CyberSecurity