Abstract

Software package managers have become a vital part of the modern software development process. They allow developers to easily adopt third-party software and streamline the development process. However, bad actors today reportedly leverage highly sophisticated techniques such as typo-squattng and social engineering to “supply” purposefully harmful code (malware) and carry out software supply chain attacks. For example, eslint-scope, a NPM package with millions of weekly downloads, was compromised to steal credentials from developers.

We have built a large-scale vetting infrastructure that analyzes millions of published NPM, Python, RubyGems software packages for “risky” code/attributes, and provides actionable insights into their security posture. Our system employs static code analysis as well as metadata analysis for detection. For example, inspired by the permissions model of Android/iOS, our system derives permissions needs by a package (e.g, file I/O, network I/O, process exec). Similarly, our metadata analysis module checks for package impersonation to detect typo-squatting attacks.

In this presentation, we will cover the technical details of our system and introduce a free command line (CLI) tool as well as a CI/CD plugin for developers to detect accidental installation of “risky” packages and mitigate software supply chain attacks. We have already detected a number of abandoned, typo-squatting, and malicious packages. We will present our findings, highlight different types of attacks and measures that developers can take to thwart such attacks. With our work, we hope to enhance productivity of the developer community by exposing undesired behavior in untrusted third-party code, maintaining developer trust and reputation, and enforcing security of package managers.