Highlights:
- Malicious open-source packages encompass a spectrum of issues, including vulnerable code, which comprises weaknesses open to exploitation.
- The Open Source Vulnerability format is used for reports in the Malicious Packages Repository.
The Open Source Security Foundation recently unveiled the Malicious Packages Repository—an open-source system that collects and shares reports on malicious packages across various ecosystems.
Claimed the pioneering open-source platform of its kind, this repository was established in direct response to the escalating instances of cyberattacks involving malicious open-source packages. In the context of what this repository tracks, malicious packages refer to types of malware delivered as open-source packages and published through repositories like PyPI or NPM.
These packages encompass a spectrum of issues, including vulnerable code, which comprises weaknesses open to exploitation. On the contrary, packages containing malicious code are deliberately crafted to cause harm or compromise potential victims. The packages are used to attack developers or businesses that install and run them without meaning to. They can be used to get into computers without permission, leak private information, use up computing resources, or even delete or damage data.
The infamous Lazarus gang, which has ties to North Korea and targets the blockchain and cryptocurrency industries by using deceptive npm packages to break into different software supply chains, was given as an example of a malicious package by the OpenSSF. The foundation contends that a centralized repository for shared intelligence could’ve warned the community of the attack earlier and helped the open-source community comprehend the full scope of threats. Malicious Packages Repository comes into play here.
The Malicious Packages Repository closes data gaps by aggregating reports of malicious packages discovered in open-source repositories into a public database. Thus, the database can aid in preventing malicious dependencies from moving through continuous integration/continuous delivery pipelines, optimize detection engines, scan for and prevent utilization in environments, and speed up incident response.
The Open Source Vulnerability format is used for reports in the Malicious Packages Repository. Malicious packages can use integrations already in place by using the OSV format. The format is also extensible, allowing for additional data recording, like indicators of compromise or data classification.
According to Henrik Plate, a security researcher at the dependency lifecycle management start-up Endor Labs Inc., “For academic researchers, in particular, it offers a nice opportunity to explore and test new approaches to malware detection without being required to redo the basic plumbing over and over again,” such as “the monitoring of new package publications on various package registries like PyPI or npm.”
“The database could also be an invaluable dataset for artificial intelligence and machine learning training, comparable to the Backstabber’s Knife Collection if only they would also publish the actual malware,” Henrik Plate added. “I hope this is going to change in the future.”