Veracode Buys Package Analysis Technology From Phylum

Application security company Veracode has acquired certain technology assets from software supply chain security startup Phylum.

Under the deal, Veracode is acquiring Phylum's malicious package analysis, detection, and mitigation technology, and some staff who worked on package analysis. The technology will enhance Veracode's capabilities to identify and block malicious code in open source libraries, giving customers a more comprehensive view of the risks associated with using open source code, the company said. The new staff will join Veracode's security research team.

The technology deal comes at a time as organizations are increasingly concerned about the risks of vulnerabilities in open source code. Gartner projects damages from software supply chain attacks will increase from $46 billion in 2023 to $138 billion by 2031.

Founded in 2020, Phylum specializes in technologies for analyzing, detecting and mitigating malicious software packages. The tools provide instant analysis of newly published packages, helping organizations identify and blocks in real-time. Back in 2022, when Phylum won Black Hat's first Innovation Spotlight competition, co-founder Peter Morgan described package analysis as looking at risk indicators to create a "credit score for packages."

Phylum’s recent research identified nearly half a million malicious packages, including targeted campaigns targeting finance and cryptocurrency companies.

Veracode's platform is used by organizations to scan code to understand exploitable risks, identify and remediate vulnerabilities, and reduce security debt. With Phylum's technology, Veracode can significantly reduce the attack window by helping customers identify the existence of malicious packages in their applications much faster.

The malicious package database and package management firewall will be integrated into Veracode's Software Composition Analysis product, with general availability expected early this year, Veracode said.

"With Phylum’s unmatched database and cutting-edge research—proven to detect 60 percent more malicious packages than any other vendor—our customers will gain the confidence to innovate faster, knowing their software is protected against evolving threats," Ravi Iyer, Veracode's chief product officer, said in a statement.

Veracode did not disclose the financial terms of the transaction.