Veracode Buys Package Analysis Technology From Phylum

Application security company Veracode has acquired certain technology assets from software supply chain security startup Phylum.
Under the deal, Veracode is acquiring Phylum's malicious package analysis, detection, and mitigation technology, and some staff who worked on package analysis. The technology will enhance Veracode's capabilities to identify and block malicious code in open source libraries, giving customers a more comprehensive view of the risks associated with using open source code, the company said. The new staff will join Veracode's security research team.
The technology deal comes at a time as organizations are increasingly concerned about the risks of vulnerabilities in open source code. Gartner projects damages from software supply chain attacks will increase from $46 billion in 2023 to $138 billion by 2031.
Founded in 2020, Phylum specializes in technologies for analyzing, detecting and mitigating malicious software packages. The tools provide instant analysis of newly published packages, helping organizations identify and blocks in real-time. Back in 2022, when Phylum won Black Hat's first Innovation Spotlight competition, co-founder Peter Morgan described package analysis as looking at risk indicators to create a "credit score for packages."
Phylum’s recent research identified nearly half a million malicious packages, including targeted campaigns targeting finance and cryptocurrency companies.
Veracode's platform is used by organizations to scan code to understand exploitable risks, identify and remediate vulnerabilities, and reduce security debt. With Phylum's technology, Veracode can significantly reduce the attack window by helping customers identify the existence of malicious packages in their applications much faster.
The malicious package database and package management firewall will be integrated into Veracode's Software Composition Analysis product, with general availability expected early this year, Veracode said.
"With Phylum’s unmatched database and cutting-edge research—proven to detect 60 percent more malicious packages than any other vendor—our customers will gain the confidence to innovate faster, knowing their software is protected against evolving threats," Ravi Iyer, Veracode's chief product officer, said in a statement.
Veracode did not disclose the financial terms of the transaction.
Farewell to the Fallen: The Cybersecurity Stars We Lost Last Year
Green Bay Packers' online store hacked to steal credit cards
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner