Sok: Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
What are weak links in the npm supply chain?
N Zahan, T Zimmermann, P Godefroid… - Proceedings of the 44th …, 2022 - dl.acm.org
Modern software development frequently uses third-party packages, raising the concern of
supply chain security attacks. Many attackers target popular package managers, like npm …
supply chain security attacks. Many attackers target popular package managers, like npm …
Research directions in software supply chain security
Reusable software libraries, frameworks, and components, such as those provided by open-
source ecosystems and third-party suppliers, accelerate digital innovation. However, recent …
source ecosystems and third-party suppliers, accelerate digital innovation. However, recent …
Practical automated detection of malicious npm packages
The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
Dlap: A deep learning augmented large language model prompting framework for software vulnerability detection
Software vulnerability detection is generally supported by automated static analysis tools,
which have recently been reinforced by deep learning (DL) models. However, despite the …
which have recently been reinforced by deep learning (DL) models. However, despite the …
Lastpymile: identifying the discrepancy between sources and packages
Open source packages have source code available on repositories for inspection (eg on
GitHub) but developers use pre-built packages directly from the package repositories (such …
GitHub) but developers use pre-built packages directly from the package repositories (such …
Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Software supply chain: review of attacks, risk assessment strategies and security controls
The software product is a source of cyber-attacks that target organizations by using their
software supply chain as a distribution vector. As the reliance of software projects on open …
software supply chain as a distribution vector. As the reliance of software projects on open …
An empirical study of malicious code in pypi ecosystem
PyPI provides a convenient and accessible package management platform to developers,
enabling them to quickly implement specific functions and improve work efficiency. However …
enabling them to quickly implement specific functions and improve work efficiency. However …
On the feasibility of detecting injections in malicious npm packages
Open-source packages typically have their source code available on a source code
repository (eg, on GitHub), but developers prefer to use pre-built artifacts directly from the …
repository (eg, on GitHub), but developers prefer to use pre-built artifacts directly from the …