Here's a New Tool That Scans for Malicious Packages in Open-Source Repositories
Undiscussed Horrific Abuse, One Victim of Many
gmkarl at gmail.com
Thu May 5 02:14:17 PDT 2022
This is great. Modern tech provides for doing much more than this, and
approaches have been around for decades, but accessibility and utility of
behavior scanning has been very stagnant.
I'm sure most hackers have spent time making IDS and such of their own. It
hasn't been commonplace to have a free public suite that analyses what code
does, rather than what it is.
Hence articles like this are a great inspiration.
The summary below describes analysis of only pypi and npm packages, not
mainstream operating system packages, unfortunately.
In my opinion, some of these things are described approached in an unideal
direction: detection of dependency confusion and typosquatting (the
publication of packages with very similar names to mainstream ones, to
co-opt users and imports) seems more important than detection of malicious
This is because malicious behavior can get incredibly obscure as malicious
actors respond to detection of it. The more obscure it is, the more
dangerous it is. This has been seen in the past, with scores of handmade
mutating viruses that disguise their traffic, etc.
However, we have the technology now to detect obscure malicious behavior:
if we make an environment that ensures we learn it exists.
The advantage of the malicious behavior detection is that it shows the
dependency confusion patterns in use.
Let us now use that dependency confusion to learn what novel malicious
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1834 bytes
Desc: not available
More information about the cypherpunks