This is great. Modern tech provides for doing much more than this, and
   approaches have been around for decades, but accessibility and utility
   of behavior scanning has been very stagnant.
   I'm sure most hackers have spent time making IDS and such of their own.
   It hasn't been commonplace to have a free public suite that analyses
   what code does, rather than what it is.
   Hence articles like this are a great inspiration.
   The summary below describes analysis of only pypi and npm packages, not
   mainstream operating system packages, unfortunately.
   In my opinion, some of these things are described approached in an
   unideal direction: detection of dependency confusion and typosquatting
   (the publication of packages with very similar names to mainstream
   ones, to co-opt users and imports) seems more important than detection
   of malicious behavior.
   This is because malicious behavior can get incredibly obscure as
   malicious actors respond to detection of it. The more obscure it is,
   the more dangerous it is. This has been seen in the past, with scores
   of handmade mutating viruses that disguise their traffic, etc.
   However, we have the technology now to detect obscure malicious
   behavior: if we make an environment that ensures we learn it exists.
   The advantage of the malicious behavior detection is that it shows the
   dependency confusion patterns in use.
   Let us now use that dependency confusion to learn what novel malicious
   behaviors exist.