Supply Chain Council of European Union | Scceu.org
Technology

Here’s a New Tool That Scans Open-Source Repositories for Malicious Packages

Malicious Packages in Open-Source Repositories

The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that’s capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories.

Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.

CyberSecurity

“The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?,” the OpenSSF said.

“The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously,” the foundation’s Caleb Brown and David A. Wheeler added.

In a test run that lasted a month, the tool identified more than 200 malicious packages uploaded to PyPI and NPM, with a majority of the rogue libraries leveraging dependency confusion and typosquatting attacks.

Google, which is a member of OpenSSF, has also rallied its support behind the Package Analysis project, while emphasizing the need for “vetting packages being published in order to keep users safe.”

CyberSecurity

The tech giant’s Open Source Security Team, last year, put forth a new frame called Supply chain Levels for Software Artifacts (SLSA) to ensure the integrity of software packages and prevent unauthorized modifications.

The development comes as the open source ecosystem is being increasingly weaponized to target developers with a variety of malware, including cryptocurrency miners and information stealers.

Related posts

Global Order Management In Telecom Market 2020 | Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Top Companies: Cerillion (UK), Cognizant (US), Ericsson (Sweden), IBM (US), Oracle (US), etc.

scceu

IBM, SAP, Microsoft, Oracle – ZNews Africa

scceu

Business Size| Strategies| Opportunities| Future Trends| Top Key Players| Market Share and Global Analysis by Forecast| JAGGAER, SAP Ariba, Scout RFP, Coupa – Jumbo News

scceu