A systematic analysis of the event-stream incident

Arvanitis, Iosif; Ntousakis, Grigoris; Ioannidis, Sotiris; Vasilakis, Nikos

doi:10.1145/3517208.3523753

Cited by 3 publications

(1 citation statement)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2018, an attacker took control of the package and introduced malicious code to exfiltrate information from Bitcoin wallets. Though this package averaged nearly two million downloads per week, the attack went undiscovered for nearly two months [24]. a) Open source repositories have been targeted: Opensource software repositories, essentially stores of free and open-source (FOSS) components that facilitate code reuse, have become an important part of the software supply chain over the past couple of decades.…”

Section: A Software Supply Chain Attacksmentioning

confidence: 99%

Bad Snakes: Understanding and Improving Python Package Index Malware Scanning

Newman

Meyers

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Open-source, community-driven package repositories see thousands of malware packages each year, but do not currently run automated malware detection systems. In this work, we explore the security goals of the repository administrators and the requirements for deploying such malware scanners via a case study of the Python ecosystem and PyPI repository, including interviews with administrators and maintainers. Further, we evaluate existing malware detection techniques for deployment in this setting by creating a benchmark dataset and comparing several existing tools: the malware checks implemented in PyPI, Bandit4Mal, and OSSGadget's OSS Detect Backdoor.We find that repository administrators have exacting requirements for such malware detection tools. Specifically, they consider a false positive rate of even 0.1% to be unacceptably high, given the large number of package releases that might trigger false alerts. Measured tools have false positive rates between 15% and 97%; increasing thresholds for detection rules to reduce this rate renders the true positive rate useless.While automated tools are far from reaching these demands, we find that a socio-technical malware detection system has emerged to meet these needs: external security researchers perform repository malware scans, filter for useful results, and report the results to repository administrators. These parties face different incentives and constraints on their time and tooling. We conclude with recommendations for improving detection capabilities and strengthening the collaboration between security researchers and software repository administrators.

show abstract

Section: A Software Supply Chain Attacksmentioning

confidence: 99%