Killing Two Birds with One Stone: Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence

Zhang, Junan; Huang, Kaifeng; Huang, Yiheng; Chen, Bihuan; Wang, Ruisi; Wang, Chong; Peng, Xin

doi:10.1145/3705304

ACM Trans. Softw. Eng. Methodol.

2024

DOI: 10.1145/3705304

|View full text |Cite

Killing Two Birds with One Stone: Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence

Junan Zhang,

Kaifeng Huang,

Yiheng Huang

et al.

Abstract: Open-source software (OSS) supply chain enlarges the attack surface of a software system, which makes package registries attractive targets for attacks. Recently, multiple package registries have received intensified attacks with malicious packages. Of those package registries, NPM and PyPI are two of the most severe victims. Existing malicious package detectors are developed with features from a list of packages of the same ecosystem and deployed within the same ecosystem exclusively, which is infeasible to u… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2024

Publication Types

Select...

Other1

Relationship

Self Cite0

Independent1

Authors

Journals

Cited by 1 publication

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments

Zheng,

Wei,

Wang

et al. 2024

Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

The exponential growth of open-source package ecosystems, particularly NPM and PyPI, has led to an alarming increase in software supply chain poisoning attacks. Existing static analysis methods struggle with high false positive rates and are easily thwarted by obfuscation and dynamic code execution techniques. While dynamic analysis approaches offer improvements, they often suffer from capturing non-package behaviors and employing simplistic testing strategies that fail to trigger sophisticated malicious behaviors. To address these challenges, we present OSCAR, a robust dynamic code poisoning detection pipeline for NPM and PyPI ecosystems. OSCAR fully executes packages in a sandbox environment, employs fuzz testing on exported functions and classes, and implements aspect-based behavior monitoring with tailored API hook points. We evaluate OSCAR against six existing tools using a comprehensive benchmark dataset of real-world malicious and benign packages. OSCAR achieves an F1 score of 0.95 in NPM and 0.91 in PyPI, confirming that OSCAR is as effective as the current state-ofthe-art technologies. Furthermore, for benign packages exhibiting characteristics typical of malicious packages, OSCAR reduces the false positive rate by an average of 32.06% in NPM (from 34.63% to 2.57%) and 39.87% in PyPI (from 41.10% to 1.23%), compared to other tools, significantly reducing the workload of manual reviews * Both authors contributed equally to this research.

show abstract

Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments

Zheng,

Wei,

Wang

et al. 2024

Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Killing Two Birds with One Stone: Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence

Cited by 1 publication

References 23 publications

Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments

Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments

Contact Info

Product

Resources

About