Depends on Malware

Description

The Phylum threat feed is a curated list of packages identified by Phylum as malicious. This valuable resource is integrated into other aspects of our threat detection workflow. A common strategy among malware authors involves publishing a malicious package, followed by another package that depends on the first. This method is particularly effective for infiltrating malware into large, established software projects through transitive dependencies, especially when introduced by an external contributor. Any package that includes, as a dependency, another package previously marked as malicious by Phylum is flagged with the "depends on malware" issue.

Importance

Using a package that depends on another package identified as malware poses the same level of threat as directly installing the malicious package itself.