Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE’21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.

On the feasibility of detecting injections in malicious npm packages / Scalco, Simone; Paramitha, Ranindya; Vu Duc, Ly; Massacci, Fabio. - ELETTRONICO. - (2022), pp. 1151-1158. (Intervento presentato al convegno ARES tenutosi a Vienna, Austria nel 23 - 26 August 2022) [10.1145/3538969.3543815].

On the feasibility of detecting injections in malicious npm packages

Paramitha, Ranindya;Vu, Duc-Ly;Massacci Fabio
2022-01-01

Abstract

Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE’21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.
2022
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security (IWCSEC 2022)
New York, NY, USA
Association for Computing Machinery
9781450396707
Scalco, Simone; Paramitha, Ranindya; Vu Duc, Ly; Massacci, Fabio
On the feasibility of detecting injections in malicious npm packages / Scalco, Simone; Paramitha, Ranindya; Vu Duc, Ly; Massacci, Fabio. - ELETTRONICO. - (2022), pp. 1151-1158. (Intervento presentato al convegno ARES tenutosi a Vienna, Austria nel 23 - 26 August 2022) [10.1145/3538969.3543815].
File in questo prodotto:
File Dimensione Formato  
3538969.3543815.pdf

accesso aperto

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 689.83 kB
Formato Adobe PDF
689.83 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/369757
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 10
  • ???jsp.display-item.citation.isi??? ND
social impact