OpenSSF launches package scanner to detect malicious packages

Considering the increase of malicious packages flooding the open source environment, a new “Package Analysis” tool has arrived to help remedy this problem. This new tool will scan npm and PyPI packages for malicious behavior.

Launching the package analysis tool

Recently, the Open Source Security Foundation (OpenSSF) released its prototype version of the “Package Analysis” tool to scan for malicious packages. The tool is available for all users on GitHub.

Describing the tool, the developers said “Package Analysis” will help the open source community to detect malicious packages quickly.

The goal is… to work together and provide an extensible community-managed infrastructure to study the behavior of open source packages and search for malware. We also hope that the components can be used independently, to provide package streams or runtime behavior data to anyone interested.

As for the structure of the tool, it basically consists of three different components.

  • Planner: creates the job for the analysis agent.
  • Analysis: performs static and dynamic analysis of each package and gathers package behavior data
  • Charger: sends analysis results to BigQuery

Elaborating more on this in a separate article blog postOpenSSF officials said the tool has successfully detected 200+ malicious PyPI and npm packages in testing. Most of them include typosquatting and dependency confusion attacks.

Explaining how the tool works, the message says,

The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they execute? The project also tracks changes in package behavior over time, to identify when previously safe software begins to act suspiciously.

The developers stated that the work on the development of this tool has been ongoing for some time. However, recent incidents of malicious packages appearing on open source repositories have made this tool a must have for the community. They also welcome feedback and input from project contributors for improvements and performance enhancements.

Let us know your thoughts in the comments.

Comments are closed.