Google touts new tool that scans popular open source repositories for malicious packages
The Open Source Security Foundation (OpenSSF) has announced the creation of a tool that can be used to scan popular open source repositories for malicious packages.
The Package Analysis project was presented by Google, which is a member of OpenSSF and has worked closely with the foundation on a variety of security-related projects.
The program performs a dynamic analysis of all packages uploaded to popular open-source repositories and catalogs the results in a BigQuery table, according to senior Google software engineer Caleb Brown.
Brown explained that despite the essential role of open source software in current technology, it is still far too easy for malicious actors to circulate malicious packages that attack systems and users running such software.
“Unlike mobile app stores which can search for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said. .
“As a result, malicious packages such as ua-parser-js and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.”
Brown added that by detecting malicious activity and alerting consumers to suspicious behavior before they select packages, the program “contributes to a more secure software supply chain and greater trust in software.” open-source”.
Over the past two years, researchers have discovered hundreds of malicious packages in popular repositories, prompting tech leaders to fix the problem.
Brown said the space continues to grow significantly and “having an open standard for reporting would help centralize analytics results and give consumers a trusted place to evaluate packages they are considering using.” .
An open standard “should also foster healthy competition, promote integration, and improve the overall security of open source packages,” Brown said.
The program also provides researchers with information about the most popular types of malicious packages at any given time.
“Although the project has been in development for some time, it has only recently become useful after extensive modifications based on early experiences.”
OpenSSF was created in 2020 by leading tech companies to help direct, guide, and share open source security tools.
Apart from Google, the OpenSSF member list also includes GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, and many more.