The Open Source Security Foundation has released the first prototype of an innovative tool capable of dynamically analysing all packages that have been uploaded to open-source repositories.
Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.
“The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?,” the OpenSSF said.
“The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously,” the foundation’s Caleb Brown and David A. Wheeler added.
In a test run that lasted a month, the tool identified more than 200 malicious packages uploaded to PyPI and NPM, with a majority of the rogue libraries leveraging dependency confusion and typosquatting attacks.
Google, which is a member of OpenSSF, has also rallied its support behind the Package Analysis project, while emphasizing the need for “vetting packages being published in order to keep users safe. “
Last year, the Open Source Security Team at Tech giants created a new framework called Supply Chain Levels for Software Artifacts. This was to protect software package integrity and stop unauthorized modification.
The development is happening as developers are increasingly being targeted with malware to steal information and mine cryptocurrency.
