Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies

GitLab last week announced the release of a new open source tool designed to help software developers identify malicious code in their projects’ dependencies.

GitLab last week announced the release of a new open source tool designed to help software developers identify malicious code in their projects’ dependencies.

Code reuse is a central approach to today’s programming, but implementing open-source libraries in software comes with inherent risks. One of these is related to the use of packages that might contain malicious code, either due to the package getting compromised or due to reliance on compromised dependencies.

With some applications depending on hundreds of packages, including some that haven’t been vetted, identifying vulnerable or malicious code is essential to ensuring the security of software and users, especially since cases where threat actors compromise the open source supply chain are increasing.

What GitLab sets out to achieve with the new tool — named Package Hunter — is the detection of malicious code that would execute within an application’s dependencies, and which might not be identified by other scanners.

For that, the new tool installs the dependencies in a sandbox and keeps a close watch on the system calls executed during the installation, to identify any that might be suspicious and report them to the user, for further examination.

The tool has been used internally at GitLab since November 2020, and is now available for the public, in open source. For the time being, Package Hunter only includes support for NodeJS modules and Ruby Gems.

Related: Google Expands Open Source Vulnerabilities Database

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Advertisement. Scroll to continue reading.

Related: Adobe Releases Open Source Anomaly Detection Tool “OSAS”

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.