Sok: Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Empirical analysis of security vulnerabilities in python packages
Software ecosystems play an important role in modern software development, providing an
open platform of reusable packages that speed up and facilitate development tasks …
open platform of reusable packages that speed up and facilitate development tasks …
Practical automated detection of malicious npm packages
The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
Lastpymile: identifying the discrepancy between sources and packages
Open source packages have source code available on repositories for inspection (eg on
GitHub) but developers use pre-built packages directly from the package repositories (such …
GitHub) but developers use pre-built packages directly from the package repositories (such …
Software supply chain: review of attacks, risk assessment strategies and security controls
The software product is a source of cyber-attacks that target organizations by using their
software supply chain as a distribution vector. As the reliance of software projects on open …
software supply chain as a distribution vector. As the reliance of software projects on open …
Towards using source code repositories to identify software supply chain attacks
Increasing popularity of third-party package repositories, like NPM, PyPI, or RubyGems,
makes them an attractive target for software supply chain attacks. By injecting malicious …
makes them an attractive target for software supply chain attacks. By injecting malicious …
Maltracker: A fine-grained npm malware tracker copiloted by llm-enhanced dataset
Z Yu, M Wen, X Guo, H ** - Proceedings of the 33rd ACM SIGSOFT …, 2024 - dl.acm.org
As the largest package registry, Node Package Manager (NPM) has become the prime
target for various supply chain attacks recently and has been flooded with numerous …
target for various supply chain attacks recently and has been flooded with numerous …
Investigating package related security threats in software registries
Package registries host reusable code assets, allowing developers to share and reuse
packages easily, thus accelerating the software development process. Current software …
packages easily, thus accelerating the software development process. Current software …
Software supply chain security: a systematic literature review
BM Reichert, RR Obelheiro - International Journal of Computers …, 2024 - Taylor & Francis
In recent years, software supply chain security has attracted significant research attention.
This research subject is concerned both with the security of infrastructures used to build …
This research subject is concerned both with the security of infrastructures used to build …
Beyond typosquatting: an in-depth look at package confusion
Package confusion incidents-where a developer is misled into importing a package other
than the intended one-are one of the most severe issues in supply chain security with …
than the intended one-are one of the most severe issues in supply chain security with …