(no title)

We actively monitor and report on malware and software supply chain attacks across multiple ecosystems. Most notably, we were the first to identify and report on attacks carried out by North Korean state actors in NPM [1], prevented an early typosquat campaign against Rust developers on crates.io [2] and recently a faux email validation utility with a fairly complicated attack chain [3].

We've been monitoring npm the longest, and while I wouldn't classify this particular attack as complex or sophisticated, it's interesting in that it continues the trend of targeting build systems (and more generally, developers).

Our goal is to help clean up as many of these registries as possible, and to provide developers with the tooling to better protect themselves from attack. In doing so, we're open sourcing as many things as we can. We recently open sourced our sandbox [4] that helps lock down disk/networking/env during process execution and have baked this into our open source cli so you can do things like:

    phylum npm install <pkg>

Would greatly appreciate any feedback on our extensions and suggestions for improving our sandbox! We recently had a few individuals submit some great issues and suggestions, which we absolutely loved receiving.

Happy to answer any questions about software supply chain attacks or security in general!

1. https://blog.phylum.io/junes-sophisticated-npm-attack-attrib...

2. https://blog.phylum.io/rust-malware-staged-on-crates-io/

3. https://blog.phylum.io/npm-emails-validator-package-malware/

4. https://github.com/phylum-dev/birdcage

5. https://github.com/phylum-dev/cli