Phylum’s Next-Gen Machine Learning Prevents Open Source Supply Chain Attacks

Share Article

Current solutions can’t stop a software-supply-chain attack before it happens. Phylum launches a new software tool that can predict and prevent 4 out of 5.

I believe we can have a profound impact by helping people regulate the open-source attacks that will continue to pop up in the future

Phylum, a DevSecOps startup committed to derisking the open-source ecosystem, announced today the launch of their first software tool. The tool, also called Phylum, applies machine learning and data mining to identify and assess potential threats rooted in open-source software dependencies.

It used to be a simple-enough task for a cybersecurity firm to manually track and patch vulnerabilities in open-source software ecosystems. But today those ecosystems are simply too big. The JavaScript ecosystem alone has grown from around 12,500 published packages in 2015 to nearly 1.5 million today. It’s easy to see that current solutions, relying on manual analysis, simply can’t keep up.

And patching vulnerabilities is just the tip of the iceberg. When a bad actor gets write access to a piece of open-source code, they can inject malware, malicious ads, cryptominers, and other attacks into any package that relies on that code. Because packages depend upon dozens of other packages, which themselves depend on dozens more, every time a developer uses open-source code, they may be opening thousands of back doors into their build environment. “Our industry has gotten pretty good at patching vulns and reacting quickly to the ‘known unknowns’ when an attack is taking place,” says Peter Morgan, President of Phylum. “Now we see the attacks moving upstream, creating ‘unknown unknowns’ by covertly infecting one package among thousands. It's a problem that's increasing at a pretty alarming rate.”

Phylum’s core product focuses on providing answers to these “unknown unknowns” of third-party software, libraries, and packages. Along with standard reporting on known issues, Phylum provides reputation scores for every package and its dependencies. These reputation scores are created by continuously data-mining the open-source ecosystem and applying machine learning and heuristic analysis to determine both the existing threat and future risk posed by any package.

So how does Phylum stack up? A recently published academic paper titled “The Backstabber’s Knife Collection” provided a survey of recent software-supply-chain attacks. Even today, during its initial rollout, Phylum would have prevented 85% of the attacks in the survey. Legacy products are unable to find any unless they have been previously identified.

“I believe we can have a profound impact by helping people regulate the open-source attacks that will continue to pop up in the future,” says CEO Aaron Bray. “When we help people reason about and maintain control of the software they build on open-source foundations, we make the software ecosystem at large a better, safer place. Because right now, essentially, it's the Wild West.”

About Phylum
We are an early stage startup developing DevSecOps tooling to help developers identify and mitigate risks stemming from the open-source ecosystem. Our founding team and staff are professionals with decades of collective experience from across the U.S. intelligence community and industry. We mine massive datasets from around the web, informing critical decisions within your software stack. Learn more at

Media Contact
Victoria Elghasen
(702) 577-5141

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Victoria Elghasen