2021
DOI: 10.1007/978-3-030-87839-9_6
|View full text |Cite
|
Sign up to set email alerts
|

A Survey on Common Threats in npm and PyPi Registries

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
5
0

Year Published

2022
2022
2024
2024

Publication Types

Select...
7

Relationship

0
7

Authors

Journals

citations
Cited by 7 publications
(5 citation statements)
references
References 30 publications
0
5
0
Order By: Relevance
“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”
Section: Discussionmentioning
confidence: 99%
See 2 more Smart Citations
“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”
Section: Discussionmentioning
confidence: 99%
“…They provide an overview of stakeholders (and their relationships) in those package manager ecosystems, but do not specifically cover VCS and build systems. Also Kaplan et al [66] present the state of the art of threats in package repositories and describe -also experimental -countermeasures from the scientific literature.…”
Section: Related Workmentioning
confidence: 99%
See 1 more Smart Citation
“…5 Besides the ID and the summary of the vulnerability, a CVE entry provides relevant references (e.g., Github documentation as in Figure 2), an assessment of the severity of the vulnerability using the Common Vulnerability Scoring System (CVSS), 6 and the Common Weakness Enumeration (CWE) taxonomy of weakness types. 7 Additionally, the CVE entry provides Common Platform Enumerations (CPE) [3] version 2.3 string, which is a standard for identifying classes of applications, operating systems/platforms, as well as hardware information. The CPE string consists of various fields providing information such as the software name, vendor as well as the target software, which contains the software computing environment (e.g.…”
Section: Common Vulnerabilities and Exposuresmentioning
confidence: 99%
“…Our work falls into the area of supply chain attacks, where threat actors introduce malware backdoors into software components that are used by developers. Kaplan et al [7] examined the attack vectors that can be carried out against package dependency registries, such as typosquatting package names and exploiting outdated dependencies. Duan et al [8] take this further by implementing an analysis pipeline that found 278 malicious dependencies across three registries.…”
Section: A Software Supply Chain Attacksmentioning
confidence: 99%