research-article

Open access

On the feasibility of detecting injections in malicious npm packages

Authors:

Ranindya Paramitha,

Fabio MassacciAuthors Info & Claims

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Article No.: 115, Pages 1 - 8

https://doi.org/10.1145/3538969.3543815

Published: 23 August 2022 Publication History

All formats PDF

Abstract

Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE’21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.

References

[1]

2019. Most popular npm packages. https://gist.github.com/anvaka/8e8fa57c7ee1350e3491. Accessed: 2022-03-10.

[2]

2021. GitHut 2.0: A small place to discover languages in Github. https://madnight.github.io/githut/#/pull_requests/2021/4. Accessed: 2022-03-20.

[3]

[n.d.]. Git log. https://git-scm.com/docs/git-log/. Accessed: 2022-03-10.

[4]

[n.d.]. NPM-Audit. https://docs.npmjs.com/cli/v8/commands/npm-audit/. Accessed: 2022-03-10.

[5]

Catalin Cimpanu. 2018. Compromised JavaScript Package Caught Stealing npm Credentials. https://www.bleepingcomputer.com/news/security/compromised-javascript-package-caught-stealing-npm-credentials/. (2018).

[6]

Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. https://arxiv.org/pdf/2002.01139.pdf. (2021). https://doi.org/10.48550/arXiv.2002.01139

[7]

Gabriel Ferreira, Limin Jia, Joshua Sunshine, and Christian Kästner. 2021. Containing malicious package updates in NPM with a lightweight permission system. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1334–1346. https://doi.org/10.1109/ICSE43902.2021.00121

Digital Library

[8]

github. 2020. GitHub. https://github.com/. Accessed: 2022-03-09.

[9]

Danielle Gonzalez, Thomas Zimmermann, Patrice Godefroid, and Max Schäfer. 2021. Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. In 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 258–267. https://doi.org/10.1109/ICSE-SEIP52600.2021.00035

Digital Library

[10]

Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. 2022. Taxonomy of Attacks on Open-Source Software Supply Chains. arXiv preprint arXiv:2204.04008(2022).

[11]

Genpei Liang, Xiangyu Zhou, Qingyu Wang, Yutong Du, and Cheng Huang. 2021. Malicious Packages Lurking in User-Friendly Python Package Index. In 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 606–613. https://doi.org/10.1109/TrustCom53373.2021.00091

[12]

Microsoft. 2020. OSS Detect Backdoor. https://github.com/microsoft/OSSGadget/wiki/OSS-Detect-Backdoor.

[13]

Microsoft. 2020. OSS Gadget: Collection of tools for analyzing open source packages. https://github.com/microsoft/OSSGadget.

[14]

npm Inc.2019. npm. https://www.npmjs.com/. Accessed: 2022-03-08.

[15]

Marc Ohm, Lukas Kempf, Felix Boes, and Michael Meier. 2020. Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation. arXiv preprint arXiv:2011.02235(2020).

[16]

Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber’s knife collection: A review of open source software supply chain attacks. In Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Springer, 23–43. https://doi.org/10.1007/978-3-030-52683-2_2

Digital Library

[17]

Synopsys. 2021. Open Source Security and Risk Analysis Report. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2020-ossra-report.pdf. (2021).

[18]

Matthew Taylor, Ruturaj Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending against package typosquatting. In International Conference on Network and System Security. Springer, 112–131. https://doi.org/10.1007/978-3-030-65745-1_7

Digital Library

[19]

Duc-Ly Vu. 2021. py2src: Towards the Automatic (and Reliable) Identification of Sources for PyPI Package. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1394–1396. https://doi.org/10.1109/ASE51524.2021.9678526

Digital Library

[20]

Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. 2021. Lastpymile: identifying the discrepancy between sources and packages. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 780–792.

Digital Library

[21]

Duc-Ly Vu, Ivan Pashchenko, and Fabio Massacci. 2020. A qualitative study of dependency management and its security implications. In 2020 ACM SIGSAC Conference on Computer and Communications Security. IEEE, 1513–1531. https://doi.org/10.1145/3372297.3417232

Digital Library

[22]

Duc Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Towards using source code repositories to identify software supply chain attacks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2093–2095. https://doi.org/10.1145/3372297.3420015

Digital Library

[23]

Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Typosquatting and combosquatting attacks on the python ecosystem. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 509–514. https://doi.org/10.1109/EuroSPW51379.2020.00074

[24]

Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, and Chandra Maddila. 2021. What are Weak Links in the npm Supply Chain?arXiv preprint arXiv:2112.10165(2021).

Cited By

Huang YWang RZheng WZhou ZWu SKe SChen BGao SPeng XFilkov VRay BZhou M(2024)SpiderScan: Practical Detection of Malicious NPM Packages Based on Graph-Based Behavior Modeling and MatchingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695492(1146-1158)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695492
Halder SBewong MMahboubi AJiang YIslam MIslam MIp RAhmed MRamachandran GAli Babar MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Malicious Package Detection using Metadata InformationProceedings of the ACM Web Conference 202410.1145/3589334.3645543(1779-1789)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645543
Reichert BObelheiro R(2024)Software supply chain security: a systematic literature reviewInternational Journal of Computers and Applications10.1080/1206212X.2024.239097846:10(853-867)Online publication date: 19-Aug-2024
https://doi.org/10.1080/1206212X.2024.2390978
Show More Cited By

Index Terms

On the feasibility of detecting injections in malicious npm packages
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
    1. Redundancy
  2. Embedded and cyber-physical systems
    1. Embedded systems
    2. Robotics
2. Networks
  1. Network properties
    1. Network reliability

Recommendations

Practical automated detection of malicious npm packages
ICSE '22: Proceedings of the 44th International Conference on Software Engineering

The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting over 1.7 million packages ranging from simple utility libraries to complex frameworks and entire applications. Each day, developers publish tens of thousands of ...
LastPyMile: identifying the discrepancy between sources and packages
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Open source packages have source code available on repositories for inspection (e.g. on GitHub) but developers use pre-built packages directly from the package repositories (such as npm for JavaScript, PyPI for Python, or RubyGems for Ruby). Such ...
Helping or not helping? Why and how trivial packages impact the npm ecosystem
Abstract
Developers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

August 2022

1371 pages

ISBN:9781450396707

DOI:10.1145/3538969

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

H2020 LEIT Information and Communication Technologies

Conference

ARES 2022

ARES 2022: The 17th International Conference on Availability, Reliability and Security

August 23 - 26, 2022

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
786
Total Downloads

Downloads (Last 12 months)421
Downloads (Last 6 weeks)100

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Huang YWang RZheng WZhou ZWu SKe SChen BGao SPeng XFilkov VRay BZhou M(2024)SpiderScan: Practical Detection of Malicious NPM Packages Based on Graph-Based Behavior Modeling and MatchingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695492(1146-1158)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695492
Halder SBewong MMahboubi AJiang YIslam MIslam MIp RAhmed MRamachandran GAli Babar MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Malicious Package Detection using Metadata InformationProceedings of the ACM Web Conference 202410.1145/3589334.3645543(1779-1789)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645543
Reichert BObelheiro R(2024)Software supply chain security: a systematic literature reviewInternational Journal of Computers and Applications10.1080/1206212X.2024.239097846:10(853-867)Online publication date: 19-Aug-2024
https://doi.org/10.1080/1206212X.2024.2390978
Nahum MGrolman EMaimon IMimran DBrodt OElyashar AElovici YShabtai A(2024)OSSIntegrity: Collaborative open-source code integrity verificationComputers & Security10.1016/j.cose.2024.103977144(103977)Online publication date: Sep-2024
https://doi.org/10.1016/j.cose.2024.103977
Ohm MStuke C(2023)SoK: Practical Detection of Software Supply Chain AttacksProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600162(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600162
Wermke DKlemmer JWöhler NSchmüser JRamulu HAcar YFahl S(2023)"Always Contribute Back": A Qualitative Study on Security Challenges of the Open Source Supply Chain2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179378(1545-1560)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179378
Liang WLing XWu JLuo TWu Y(2023)A Needle is an Outlier in a Haystack: Hunting Malicious PyPI Packages with Code Clustering2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00085(307-318)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00085
Lim JChia WOng JSeow WOng WGuo H(2023)DeepSecure: Malicious JavaScript and NPM Package ScannerProceedings of the 9th IRC Conference on Science, Engineering, and Technology10.1007/978-981-99-8369-8_48(511-522)Online publication date: 21-Dec-2023
https://doi.org/10.1007/978-981-99-8369-8_48

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents