Skip Navigation
Researchers Uncover npm Package Delivering RAT Via Microsoft Executable
blog.phylum.io npm Package Found Delivering Sophisticated RAT

On January 12, 2024 Phylum’s automated risk detection platform alerted us to a suspicious publication on npm. The package in question, oscompatible, contained a few strange binaries, including a single exe file, a single DLL file, and an encrypted dat file. The only JavaScript file present, index.js...

npm Package Found Delivering Sophisticated RAT
1
Malicious Nuget Packages Found Delivering SeroXen RAT
blog.phylum.io Phylum Discovers SeroXen RAT in Typosquatted NuGet Package

On October 6, 2023, Phylum’s automated risk detection platform alerted us to a suspicious publication on NuGet. After working through several layers of obfuscation we ultimately discovered that this package was delivering SeroXen RAT. Background The package in question is Pathoschild.Stardew.Mod....

Phylum Discovers SeroXen RAT in Typosquatted NuGet Package
0
Cloud Provider Credentials Targeted in New PyPI Malware Campaign
blog.phylum.io Cloud Provider Credentials Targeted in New PyPI Malware Campaign

Over the weekend, Phylum’s automated risk detection alerted us to a series of publications surrounding packages on PyPI, all purporting to be some kind of cloud provider SDK or helper package. While these packages do, in fact, provide the purported functionality, they also surreptitiously ship the c...

Cloud Provider Credentials Targeted in New PyPI Malware Campaign
0
Proc macro sandboxing
  • we’re working on a third party solution for this. Should have some updates that sandbox cargo builds shortly.

    https://github.com/phylum-dev/birdcage

    It’s a cross-platform sandbox that works on Linux via Landlock and macOS via Seatbelt. We’ve rolled this into our CLI (https://github.com/phylum-dev/cli) so you can do thinks like:

    phylum  
    

    For example for npm, which currently uses the sandbox:

    phylum npm install
    

    We’re adding this to cargo to similarly sandbox crate installations. Would love feedback and thoughts on our sandbox!

  • Rust Malware Staged on Crates.io
  • I'm one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub's recent security advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.

    I say all this to assure you we didn't write or release this malware. It just wouldn't make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.

    Our platform is free for developers and small teams (heck, I'll give anyone who asks for it a free pro account if you really need it). We've open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We're genuinely - really - trying to help make these ecosystems safer.

  • InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)EX
    expertmadman @sh.itjust.works
    Posts 5
    Comments 6