A Survey on Common Threats in npm and PyPi Registries

Kaplan, Berkay; Qian, Jingyu

doi:10.1007/978-3-030-87839-9_6

Cited by 6 publications

(5 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”

Section: Discussionmentioning

confidence: 99%

“…They provide an overview of stakeholders (and their relationships) in those package manager ecosystems, but do not specifically cover VCS and build systems. Also Kaplan et al [66] present the state of the art of threats in package repositories and describe -also experimental -countermeasures from the scientific literature.…”

Section: Related Workmentioning

confidence: 99%

“…(AV-000) Conduct Open-Source Supply Chain Attack SL: [18], [19], [31]- [56] (AV-100) Develop and Advertise Distinct Malicious Package from Scratch SL: [16], [19], [57], [58] GL: [59]- [65] (AV-200) Create Name Confusion with Legitimate Package SL: [16], [58], [66], [67] GL: [68]- [70] (AV-201) Combosquatting SL: [71] GL: [72], [73] (AV-202) Altering Word Order SL: [74] (AV-203) Manipulating Word Separators SL: [74] (AV-204) Typosquatting SL: [15], [71], [74]- [76] GL: [77], [78] (AV-205) Built-In Package SL: [74] GL: [79] (AV-206) Brandjacking SL: [74] (AV-207) Similarity Attack SL: [71] (AV-001) Subvert Legitimate Package (AV-300) Inject into Sources of Legitimate Package SL: [19], [80]- [85] (AV-301) Introduce Malicious Code through Hypocrite Merge Request SL: [11], [85]- [87] GL: [88] (AV-304) Make Immature Vulnerability Exploitable SL: [11], [89] GL: [88] (AV-305) Exploit Rendering Weakness SL: [10] (AV-306) Exploit Unicode Bidirectional Algorithm SL: [10] GL:…”

Section: Appendix a Safeguards Against Oss Supply Chain Attacksmentioning

confidence: 99%

See 2 more Smart Citations

Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa¹,

Plate²,

Martínez³

et al. 2022

Preprint

View full text Add to dashboard Cite

The widespread dependency on open-source software makes it a fruitful target for malicious actors, as demonstrated by recurring attacks. The complexity of today's opensource supply chains results in a significant attack surface, giving attackers numerous opportunities to reach the goal of injecting malicious code into open-source artifacts that is then downloaded and executed by victims.This work proposes a general taxonomy for attacks on opensource supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution. Taking the form of an attack tree, it covers 107 unique vectors, linked to 94 realworld incidents, and mapped to 33 mitigating safeguards.User surveys conducted with 17 domain experts and 134 software developers positively validated the correctness, comprehensiveness and comprehensibility of the taxonomy, as well as its suitability for various use-cases. Survey participants also assessed the utility and costs of the identified safeguards, and whether they are used.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Appendix a Safeguards Against Oss Supply Chain Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa¹,

Plate²,

Martínez³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…5 Besides the ID and the summary of the vulnerability, a CVE entry provides relevant references (e.g., Github documentation as in Figure 2), an assessment of the severity of the vulnerability using the Common Vulnerability Scoring System (CVSS), 6 and the Common Weakness Enumeration (CWE) taxonomy of weakness types. 7 Additionally, the CVE entry provides Common Platform Enumerations (CPE) [3] version 2.3 string, which is a standard for identifying classes of applications, operating systems/platforms, as well as hardware information. The CPE string consists of various fields providing information such as the software name, vendor as well as the target software, which contains the software computing environment (e.g.…”

Section: Common Vulnerabilities and Exposuresmentioning

confidence: 99%

Challenges of mapping Vulnerabilities and Exposures to Open-Source Packages

Dam¹,

Neumaier²

2022

Preprint

View full text Add to dashboard Cite

Much of the current software depends on open-source components, which in turn have complex dependencies on other open-source libraries. Vulnerabilities in open source therefore have potentially huge impacts. The goal of this work is to get a quantitative overview of the frequency and evolution of existing vulnerabilities in popular software repositories and package managers. To this end, we provide an up-to-date overview of the open source landscape and its most popular package managers. We discuss approaches to map entries of the Common Vulnerabilities and Exposures (CVE) list to open-source libraries. Based on this mapping approaches, we show the frequency and distribution of CVE entries with respect to popular programming languages.

show abstract

“…Our work falls into the area of supply chain attacks, where threat actors introduce malware backdoors into software components that are used by developers. Kaplan et al [7] examined the attack vectors that can be carried out against package dependency registries, such as typosquatting package names and exploiting outdated dependencies. Duan et al [8] take this further by implementing an analysis pipeline that found 278 malicious dependencies across three registries.…”

Section: A Software Supply Chain Attacksmentioning

confidence: 99%