Phylum’s Monthly Malware Report: April 2022 – Malware Magnified
Note: Veracode acquired Phylum in January 2025, after this blog was published, and it has been migrated to Veracode’s blog.
In order to combat the massive uptick in software supply chain attacks, and proactively defend against software supply chain-borne threats from the open-source ecosystem, Phylum has been purpose-built to provide near-real-time, proactive analysis of packages as they are published. Given how vast these ecosystems are today, it is apparent that simply hiring security talent to attempt analysis is a losing battle. In the past 30 days, Phylum has processed a total of 647,928 packages across three ecosystems (NPM, PyPI, and RubyGems) – with an average of 20,933 packages per day, which amounts to the analysis of an average of 3,219,943 source files every 24 hours. This adds up to 99,818,244 total files in the last month.
Repository Statistics
| Package Registry | No. of Packages |
|---|---|
| NPM | 555,115 |
| PyPI | 84,982 |
| RubyGems | 8,831 |
Total Package Analysis
| Analysis, last 30 days | Count |
|---|---|
| Total Packages Analyzed | 647,928 |
| Total Files Examined | 99,818,244 |
| Malicious Packages Identified | 714 |
Breakout by File Type
| Filetype | Count |
|---|---|
| TypeScript | 37,878,699 |
| JavaScript | 48,636,490 |
| ECMAScript modules | 1,531,637 |
| Ruby | 1,052,107 |
| Python | 8,146,348 |
| TSX | 257280 |
| CommonJS modules | 257,280 |
| Bash | 106,579 |
| Java | 175,499 |
| Total | 99,818,244 |
Phylum’s heuristics, analytics, and machine learning models then combed through these packages as they were published, resulting in the identification and conviction of 714 malicious packages in the last 30 days. Results in an average were returned within 10.9 minutes of publication.
Many of these packages were tied to existing campaigns (detailed below), along with some new (apparent) rogue actors.
Malware Spotlight
Based upon the 714 malicious packages identified in April, the Malware Spotlight needs a full write-up. Full spotlight and commentary to be released in the coming days!!
Packages of Interest
| adal | agrifood-farming | add-position |
| addon-actions | ai-anomaly-detector | ai-document-translator |
| addon-links | agrifood-farming-rest | arm-advisor |
| arm-analysisservices | ai-document-translator-rest | antani-ui |
| arm-apimanagement | any-vega | arm-appconfiguration |
| api-extractor | applicationinsights-analytics | applicationinsights-analytics-js |
| arm-appinsights | arm-appplatform | arm-appservice |
| applicationinsights-common | applicationinsights-dependencies | applicationinsights-dependencies-js |
| arm-attestation | arm-authorization | arm-avs |
| applicationinsights-properties | applicationinsights-properties-js | applicationinsights-react-js |
| applicationinsights-shims | applicationinsights-web | arm-kusto |
| arm-lock | arm-policyinsights | arm-securityinsights |
| arm-azurestack | arm-azurestackhci | arm-batch |
| arm-billing | arm-botservice | arm-cdn |
| asset_cli_tool | autocomplete-core | autocomplete-preset-algolia |
| autocomplete-shared | autorest-schemas | autorest.gotest |
| autorest.testmodeler | autorest.testserver | azure-agrifood |
| arm-changeanalysis | arm-cognitiveservices | arm-commerce |
| azure-agrifood-farming-samples-js | azure-agrifood-farming-samples-ts | azure-ai |
| azure-ai-anomaly-detector-samples-js | azure-ai-anomaly-detector-samples-ts | arm-commitmentplans |
| arm-communication | arm-compute | arm-confluent |
| azure-ai-form-recognizer-samples-js | azure-ai-form-recognizer-samples-ts | arm-consumption |
| azure-ai-text-analytics-samples-ts | azure-app-configuration-samples-js | azure-app-configuration-samples-ts |
| azure-communication-identity-samples-js | azure-communication-identity-samples-ts | azure-communication-phone-numbers-samples-ts |
| azure-communication-short-codes-samples-js | azure-communication-short-codes-samples-ts | azure-communication-sms-samples-js |
| azure-communication-sms-samples-ts | azure-confidential-ledger-samples-js | azure-core-rest-pipeline-samples-js |
| arm-containerinstance | arm-containerregistry | arm-containerservice |
| arm-cosmosdb | arm-customerinsights | arm-databox |
| azure-data | azure-digital | azure-digital-twins-core-samples-ts |
| azure-event-hubs-express | azure-event-hubs-samples-browser | azure-event-hubs-samples-js |
| azure-event-processor | azure-event-processor-host-samples-bowser | azure-event-processor-host-samples-express |
| azure-event-processor-host-samples-js | azure-eventgrid-samples-ts | azure-identity-samples-js |
| azure-iot | azure-iot-modelsrepository-samples-ts | azure-iot-ux-baseline |
| arm-databoxedge | arm-databricks | arm-datacatalog |
| azure-iot-ux-fluent-controls | azure-js-dev-tools | azure-keyvault-admin-samples-js |
| azure-keyvault-certificates-samples-ts | azure-keyvault-keys-samples-js | azure-keyvault-keys-samples-ts |
| arm-datadog | arm-datafactory | arm-datalake-analytics |
| arm-datamigration | arm-deploymentmanager | arm-desktopvirtualization |
| arm-deviceprovisioningservices | arm-devspaces | arm-devtestlabs |
| azure-mixed-reality-authentication-samples-ts | azure-mock-hub-samples-js | azure-mock-hub-samples-ts |
| azure-monitor-opentelemetry | azure-monitor-opentelemetry-exporter-samples-ts | azure-monitor-query-samples-ts |
| azure-purview-account-samples-js | azure-purview-account-samples-ts | azure-purview-administration-samples-js |
| azure-purview-scanning-samples-js | azure-purview-scanning-samples-ts | azure-quantum-jobs-samples-js |
| azure-schema | azure-schema-registry-avro-samples-ts | azure-schema-registry-samples-js |
| azure-schema-registry-samples-ts | azure-sdk-for-java-codegen | azure-search-documents-samples-js |
| azure-search-documents-samples-ts | azure-service-bus-samples-js | azure-service-bus-samples-ts |
| azure-storage-blob-changefeed-samples-js | azure-storage-blob-changefeed-samples-ts | azure-storage-blob-samples-js |
| azure-storage-blob-samples-ts | azure-storage-file-share-samples-js | azure-synapse |
| azure-synapse-access-control-samples-ts | azure-template-samples-ts | azure-video-analyzer-edge-samples-js |
| azure-video-analyzer-edge-samples-ts | azure-web | azure-web-pubsub-express-samples-ts |
| azure-web-pubsub-samples-js | babel-plugin-replace-jsx-attribute-value | arm-digitaltwins |
| arm-dns | arm-dnsresolver | arm-domainservices |
| arm-eventgrid | arm-eventhub | arm-extendedlocation |
| babel-plugin-svg-dynamic-title | banana-module | batch-execute |
| bfx-hf-signals | bfx-hf-strategy-exec | bottom-tabs |
| arm-features | arm-frontdoor | arm-hanaonazure |
| arm-hdinsight | arm-healthbot | arm-healthcareapis |
| build-ng-packagr | build-optimizer | cache-browser-local-storage |
| cache-common | channel-postmessage | check-treeshaking |
| ci-detect | arm-hybridcompute | arm-hybridkubernetes |
| arm-imagebuilder | arm-iotcentral | arm-iothub |
| ci-detect | cli-debugger-ui | cli-hermes |
| cli-microsoft365 | cli-platform-android | cli-platform-ios |
| cli-server-api | client-account | client-recommendation |
| arm-keyvault | arm-kubernetesconfiguration | arm-labservices |
| arm-links | arm-loadtestservice | arm-locks |
| arm-logic | arm-machinelearningcompute | arm-machinelearningexperimentation |
| collect-uncommitted | collect-updates | communication-signaling |
| compat-data | compiler-cli | compiler_gym-frontend |
| confidential-ledger-rest | config-array | context-base |
| core-client-lro | core-client-paging | core-client-rest |
| cosmos-language-service | create-cache-key-function | create-free-dazaar-core |
| cspell-types | dashboard-isolated-widget-accessor | date-time-utilities |
| dazaar-card-publisher | dazaar-cli | dazaar-guild |
| dazaar-payment | describe-ref | directory-listing |
| disparity-colors | eslint-parser | eslintsprinker |
| exchange_clients | filter-options | filter-packages |
| first-with-side-effect | floating-point-hex-parser | flow-dev-tools |
| fluent-theme | fontawesome-common-types | foundation-legacy |
| fourth-with-side-effect | free-solid-svg-icons | gdn-usedotnet |
| get-npm-exec-opts | global-options | gym-frontend |
| habitat-sim | heft-config-file | hello2world2here |
| helper-annotate | helper-api-error | helper-builder-binary-assignment-operator-visitor |
| helper-builder-react-jsx | helper-builder-react-jsx-experimental | helper-call-delegate |
| helper-code-frame | helper-compilation-targets | helper-create-class-features-plugin |
| helper-define-polyfill-provider | helper-environment-visitor | helper-explode-assignable-expression |
| helper-fsm | helper-function-name | helper-member-expression-to-functions |
| helper-module-context | helper-module-transforms | helper-numbers |
| helper-optimise-call-expression | helper-regex | helper-remap-async-to-generator |
| helper-replace-supers | helper-simple-access | helper-skip-transparent-expression-wrappers |
| helper-split-export-declaration | helper-validator-identifier | helper-wasm-bytecode |
| helper-wrap-function | hypercore-logs-benchmark | hyperion-history |
| identity-browser | identity-browser-manual | installed-package-contents |
| iot-cardboard-js | iot-device-update-rest | is-prop-valid |
| java.android | java.fluent | java.fluentnamer |
| java.preprocessor | jest-check | js-sdk-release-tools |
| jsdoccomment | json-ref-readers | jupyter-widgets |
| karma-coverage-coffee-example | kubernetestest | language-service |
| language-service-next | lib-js-util-currencies | lib-js-util-marshal |
| lib-js-util-math | lib-js-util-promise | lib-js-util-shard |
| lib-util-err-js | link-bins | load-nyc-config |
| make-typed-request | map-sources | map-workspaces |
| megarepo | mephisto-review-test | metavuln-calculator |
| metro-whatever | minirts | msal-browser |
| msal-common | msal-node-extensions | myhashringimplementation |
| myths | name-from-folder | node-core-library |
| node16 | nodehound | openapi-tools-common |
| otplease | package-bins | package-deps-hash |
| pkg_with_main | pkg_with_nested_main | pkg_with_relative_main |
| platform-browser-dynamic | platform-express | plugin-bugfix-v8-spread-parameters-in-optional-chaining |
| plugin-commonjs | plugin-enterprise-rest | plugin-inject |
| plugin-json | plugin-paginate-rest | plugin-proposal-async-generator-functions |
| plugin-proposal-class-properties | plugin-proposal-dynamic-import | plugin-proposal-export-default-from |
| plugin-proposal-export-namespace-from | plugin-proposal-json-strings | plugin-proposal-logical-assignment-operators |
| plugin-proposal-nullish-coalescing-operator | plugin-proposal-numeric-separator | plugin-proposal-optional-catch-binding |
| plugin-proposal-optional-chaining | plugin-proposal-private-property-in-object | plugin-proposal-unicode-property-regex |
| plugin-svgo | plugin-syntax-async-generators | plugin-syntax-bigint |
| plugin-syntax-decorators | plugin-syntax-export-namespace-from | plugin-syntax-flow |
| plugin-syntax-import-meta | plugin-syntax-jsx | plugin-syntax-logical-assignment-operators |
| plugin-syntax-object-rest-spread | plugin-syntax-private-property-in-object | plugin-syntax-typescript |
| plugin-transform-block-scoped-functions | plugin-transform-block-scoping | plugin-transform-classes |
| plugin-transform-computed-properties | plugin-transform-exponentiation-operator | plugin-transform-for-of |
| plugin-transform-function-name | plugin-transform-literals | plugin-transform-member-expression-literals |
| plugin-transform-modules-amd | plugin-transform-modules-systemjs | plugin-transform-modules-umd |
| plugin-transform-named-capturing-groups-regex | plugin-transform-new-target | plugin-transform-object-super |
| plugin-transform-property-literals | plugin-transform-react-display-name | plugin-transform-react-jsx |
| plugin-transform-react-jsx-development | plugin-transform-react-jsx-self | plugin-transform-react-pure-annotations |
| plugin-transform-reserved-words | plugin-transform-runtime | plugin-transform-shorthand-properties |
| plugin-transform-spread | plugin-transform-sticky-regex | plugin-transform-typeof-symbol |
| plugin-transform-typescript | plugin-transform-unicode-escapes | plugin-transform-unicode-regex |
| pluginutils | presentational-components | preset-flow |
| preset-modules | preset-typescript | pulse-till-done |
| purview-administration-rest | purview-catalog-rest | purview-scanning-rest |
| query-graph | react-vis-master | read-modules-dir |
| read-project-manifest | regression-test | relay-compiler-playground-tests |
| remapping | request-error | requester-browser-xhr |
| requester-node-http | rest-api-specs-scripts | rig-package |
| rimraf-dir | ringpop-ui | run-lifecycle |
| run-topologically | rush-amazon-s3-build-cache-plugin | rush-azure-storage-build-cache-plugin |
| rush-lib | rush-sdk | samples-web-workers-js |
| scope-manager | sdk-trace-base | sdk-trace-node |
| semantic-conventions | settingregistry | sinonjs__fake-timers |
| spectral-core | spectral-formats | spectral-parsers |
| spectral-ref-resolver | spectral-ruleset-migrator | spectral-runtime |
| static-web-apps-cli | storage-file | stream-collator |
| stress-test-track-2 | swagger-validation-common | symlink-binary |
| synapse-access-control-1 | synapse-access-control-rest | test-credential |
| test-recorder-new | test-sequencer | testing-library__jest-dom |
| textvqa | tool-cache | transform-vega |
| ts-command-line | ufx-ui | ungap__url-search-params |
| util-hex-encoding | wasm-edit | wast-printer |
| write-log-file | write-project-manifest | arm-machinelearningservices |
| arm-managedapplications | arm-managementgroups | arm-managementpartner |
| arm-maps arm-mariadb | arm-marketplaceordering | arm-mediaservices |
| arm-migrate | arm-mixedreality | arm-mobilenetwork |
| arm-monitor | arm-msi | arm-mysql |
| arm-netapp | arm-network | arm-notificationhubs |
| arm-oep | arm-operationalinsights | arm-operations |
| arm-orbital | arm-peering | arm-policy |
| arm-portal | arm-postgresql | arm-postgresql-flexible |
| arm-powerbidedicated | arm-powerbiembedded | arm-privatedns |
| arm-purview | arm-quota | arm-recoveryservices |
| arm-recoveryservices-siterecovery | arm-recoveryservicesbackup | arm-rediscache |
| arm-redisenterprisecache | arm-relay | arm-reservations |
| arm-resourcegraph | arm-resourcehealth | arm-resourcemover |
| arm-resources | arm-resources-subscriptions | arm-search |
| arm-security | arm-serialconsole | arm-servicebus |
| arm-servicefabric | arm-servicefabricmesh | arm-servicemap |
| arm-signalr | arm-sql | arm-sqlvirtualmachine |
| arm-storage | arm-storagecache | arm-storageimportexport |
| arm-storagesync | arm-storsimple1200series | arm-storsimple8000series |
| arm-streamanalytics | arm-subscriptions | arm-support |
| arm-synapse | arm-templatespecs | arm-timeseriesinsights |
| arm-trafficmanager | arm-videoanalyzer | arm-visualstudio |
| arm-vmwarecloudsimple | arm-webpubsub | arm-webservices |
| arm-workspaces | cadl-autorest | cadl-azure-core |
| cadl-azure-resource-manager | cadl-playground | cadl-providerhub |
| cadl-providerhub-controller | cadl-providerhub-templates-contoso | cadl-samples |
| codemodel | communication-chat | communication-common |
| communication-identity | communication-network-traversal | communication-phone-numbers |
| communication-short-codes | communication-sms | confidential-ledger |
| core-amqp | core-asynciterator-polyfill | core-auth |
| core-client-1 | core-http | core-http-compat |
| core-lro | core-paging | core-rest-pipeline |
| core-tracing | core-xml | deduplication |
| digital-twins-core | dll-docs | dtdl-parser |
| eslint-config-cadl | eslint-plugin-azure-sdk | eventhubs-checkpointstore-blob |
| eventhubs-checkpointstore-table | extension-base | helloworld123ccwq |
| identity-cache-persistence | identity-vscode | iot-device-update |
| iot-device-update-1 | iot-modelsrepository | keyvault-admin |
| mixed-reality-authentication | mixed-reality-remote-rendering | modelerfour |
| monitor-opentelemetry-exporter | oai2-to-oai3 | openapi3 |
| opentelemetry-instrumentation-azure-sdk | pnpmfile.js | prettier-plugin-cadl |
| purview-administration | purview-catalog | purview-scanning |
| quantum-jobs | storage-blob-changefeed | storage-file-datalake |
| storage-queue | synapse-access-control | synapse-artifacts |
| synapse-managed-private-endpoints | synapse-monitoring | synapse-spark |
| test-public-packages | test-utils-perf | testing-recorder-new |
| testmodeler | video-analyzer-edge | videojs-wistia |
| web-pubsub | web-pubsub-express | |
| uber-blue-20 | airbnb-logo-white | uber-white-10 |
| packmet | uber-origin | uber-source |
| uber-debug | airbnb-i18n | pod-smartphone-api |
| uber-client-name | uber-device-os | uber-client-version |
| uber-black | uber-developers | uber-black-60 |
| useoctocli | bancolombia-design-system | bancolombia-design-system |
| bancolombia-design-system | uber-chevron-title | myhood |
| uber-eats-food-delivery | uber-device-language | package-inherit |
| uber-blue-10 | uber-uuid | uber-eats |
| uber-poet | airbnb-for-work-sections | epic-ue-themes-la |
| uber-blue-60 | uber-research | uber-us-insurance |
| uber-offerings | uber-white-20 | uber-web |
| uber-black-80 | uber-searchfield-container | uber-region-id |
| uber-xhr | uber-one-genie | pod-smartphone-api |
| airbnb-for-work | mailjet-react-components | uber-listen |
| uber-fonts | logic-lib-emp | airbnb-hyperloop |
| uber-mobile | uber-screenflow-client-version | uber-black-40 |
| jetpack-config | uber-device | uber-set-cookie-v2 |
| uber-go | uber-blue-120 | uber-token |
| uber-logo | uber-xps | uber-device-epoch |
| uber-device-location-altitude | uber-drive | uber-ride |
| airbnb-jitney-schemas | uber-for-business-product-recap-2021 | uber-partner-widget-localiza |
| uber-white-120 | com.unity.ai.navigation.components | uber-logo-desc |
| airbnb-bootstrap-data | uber-icons | uber-eats-app |
| uber-logo-title | nautilus-commerce | uber-electric-scooter |
| uber-white | uber-one-logged-out | uber-freight-2022-market-outlook |
| jetpack-config | jetpack-config | testeaaa |
| uber-device-ids | uber-common | uber-demand-channel |
| qjwt | airbnb-org-sections | uber-et-uber-eats |
| uber-device-id | qjwt | uber-white-80 |
| uber-on-way-to-hospital | uber-app-variant | uber-blue |
| uber-blue-80 | uber-one | uber-push-service |
| airbnb-logo-red | uber-device-model | uber-freight-customer-story |
| jitsi-meet-redux | uber-client-session | uber-com |
| uber-black-90 | bsd-global-nav-design-ui | notepadplusplus-keybindings |
| uber-white-60 | uber-blue-40 | uber-white-40 |
| push-package-action | airbnb-dls-web | qjwt |
| uber-chevron-desc | uber-open-summit-sofia | uber-freight-h2-2021-market-insights |
| uber-black-95 |
Why Phylum & What’s Coming Next…
Phylum’s capabilities extend beyond pure source code analysis. We have constructed authorship models that, in combination with other metrics, allow us to identify odd behaviors around commits and activity. We analyze maintainer information for a package, allowing us to spot packages that have recently changed ownership that may be at risk for the introduction of malware (as was the case with even-stream in 2018).
As we look forward, we are imminently preparing the release of C#/Nuget and Java/Maven support. In addition to this, we are pushing hard to increase both the sophistication and number of our heuristics and analytics.
Phylum, at its core, is a risk detection system focusing on the software supply chain. Unlike other SCA products that focus nearly exclusively on well-known issues, we are looking for the unknown unknowns – the subtle modifications to a software package that will surreptitiously exfiltrate keys to your critical infrastructure. We do this at the scale of open source, tackling the problem in an automated fashion, to make software supply chain security proactive instead of merely reactive.
To learn more about Phylum’s automated malware identification capability and how we support secure and efficient use of open-source software please contact us for a conversation.
