This is great. Modern tech provides for doing much more than this, and approaches have been around for decades, but accessibility and utility of behavior scanning has been very stagnant. I'm sure most hackers have spent time making IDS and such of their own. It hasn't been commonplace to have a free public suite that analyses what code does, rather than what it is. Hence articles like this are a great inspiration. The summary below describes analysis of only pypi and npm packages, not mainstream operating system packages, unfortunately. In my opinion, some of these things are described approached in an unideal direction: detection of dependency confusion and typosquatting (the publication of packages with very similar names to mainstream ones, to co-opt users and imports) seems more important than detection of malicious behavior. This is because malicious behavior can get incredibly obscure as malicious actors respond to detection of it. The more obscure it is, the more dangerous it is. This has been seen in the past, with scores of handmade mutating viruses that disguise their traffic, etc. However, we have the technology now to detect obscure malicious behavior: if we make an environment that ensures we learn it exists. The advantage of the malicious behavior detection is that it shows the dependency confusion patterns in use. Let us now use that dependency confusion to learn what novel malicious behaviors exist.