| Happy to see this on HN! I'm one of the co-founders @ Phylum. We actively monitor and report on malware and software supply chain attacks across multiple ecosystems. Most notably, we were the first to identify and report on attacks carried out by North Korean state actors in NPM [1]. With our fairly recent addition of Crates.io support, we've begun monitoring and reporting on campaigns in the Rust ecosystem. In doing so, we identified what appeared to be staging of a malware campaign and were able to report it to Crates.io before it got too far along. We're also in the process of releasing a beta `cargo` extension that will transparently query our API for information about a package, before it is permitted to install. This is available in our open-source CLI [2]. Prefixing `cargo` with `phylum` will perform this check before the build occurs: phylum cargo build
In addition to this, we've also developed and released an open-source sandbox [3] that provides facilities for limiting access to disk, network, and environment variables. This is baked into our `npm`, `yarn`, and `pip` CLI extensions; we're working on adding it to more.Would greatly appreciate any feedback on our Cargo extension and suggestions for improving our sandbox! Happy to answer any questions about software supply chain attacks or security in general! Stay tuned, we're tracking another fairly complicated supply chain attack. 1. https://blog.phylum.io/junes-sophisticated-npm-attack-attrib... 2. https://github.com/phylum-dev/cli 3. https://github.com/phylum-dev/birdcage |