OpenSSF Releases Malicious Packages Repository
Written by Alex Denham   
Thursday, 26 October 2023

The OpenSSF Package Analysis team has released a Malicious Packages repository, which they describe as an open source system for collecting and publishing cross-ecosystem reports of malicious packages.

The OpenSSF says they've developed the repository in response to increasing attacks that include malicious open source packages. The hope is that a centralized repository for shared intelligence could alert the community to attacks and help clarify what threats are out there.

openssf

 

Malicious packages in this context are malware that is delivered as an open source package and published to a package repository, such as PyPI or NPM. The packages are then used to attack the developers or companies that unwittingly install and run them.

The Package Analysis project aims to find malicious packages as soon as possible by downloading, installing and executing packages from popular open source package repositories as they are published. As the packages are run, the software captures executed commands and analyze network traffic to work out if the package is acting maliciously. If it is, a report is generated and published to the new Malicious Packages repository.

The repository will also create a public database that aggregates reports of malicious packages with the aim of stopping malicious dependencies from moving through CI/CD pipelines, and scanning for and preventing their use. The reports in the Malicious Packages repository use the Open Source Vulnerability (OSV) JSON format. This makes it is possible to make use of existing integrations, including the osv.dev API, the osv-scanner tool, and deps.dev.

The repository already has over 15,000 reports of malicious packages, with current data being sourced from the OpenSSF Package Analysis project, Checkmarx security and exports of malicious packages tracked by GitHub.

openssf

 

More Information

OpenSSF Malicious Packages Repository

Related Articles

Taking Open Source Criticality Seriously

The State Of Secure Software Development - Three OpenSSF Courses

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Kafka 3.9 Adds Dynamic KRaft Quorums
16/12/2024

Kafka 3.9 has been released. The team says this is a major release and the final in the 3.x line. It This will also be the final major release to feature the deprecated Apache ZooKeeper mode. Kafka is [ ... ]



OpenSilver Adds XAML Designer For Visual Studio Code
12/12/2024

OpenSilver 3.1 has been released. This version adds a drag-and-drop XAML designer for Visual Studio Code (VS Code), a new modern UI theme, and expanded support for WPF features. The open-source altern [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info