New OpenSSF Project Hunts for Malicious Packages in Open Source Repositories
The Open Source Security Foundation (OpenSSF) has announced a new project whose goal is to help identify malicious packages in open source repositories.
The Package Analysis project, OpenSSF says, aims to identify the behavior and capabilities of open source packages – including files they access, commands they support, and IPs they connect to – and track modifications that could reveal suspicious activities.
“This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem,” OpenSSF says.
Under development for a while, the project went through extensive changes and only recently became useful, the Foundation says.
Package Analysis dynamically investigates packages in popular open source repositories and places the results in a BigQuery table. The project has already identified more than 200 malicious PyPI and npm packages, but most of these were dependency confusion and typosquatting attacks.
The identified packages typically contained a simple script designed to run at install and send home a small amount of information on the host. However, they could prove far more hurtful to those who installed them.
According to OpenSSF, most of these malicious packages could be the work of security researchers, given that no meaningful data was being exfiltrated and that no attempt was made at disguising the behavior.
The Foundation calls for involvement in advancing the project, to improve behavioral detection, automate result processing, store packages processed for long-term analysis, and improve reliability.
Google, which has long advocated for a safer open source environment and which is a member of OpenSSF, has already announced support for the project.
“This program contributes to a more secure software supply chain and greater trust in open source software. The program also gives insight into the types of malicious packages that are most common at any given time, which can guide decisions about how to better protect the ecosystem,” Google says.
According to the internet giant, the short time that Package Analysis needed to identify malicious projects shows that more should be invested in vetting packages to keep users safe.
“This is a growing space, and having an open standard for reporting would help centralize analysis results and offer consumers a trusted place to assess the packages they’re considering using. Creating an open standard should also foster healthy competition, promote integration, and raise the overall security of open source packages,” Google concluded.