Given the rise in malicious packages flooding the open-source environment, a new “Package Analysis” tool has arrived to help remedy this issue. This new tool will scan npm and PyPI packages to detect malicious behaviour.
Package Analysis Tool Launched
Recently, the Open Source Security Foundation (OpenSSF) has released its prototype version of the “Package Analysis” tool to scan for malicious packages. The tool is available for all users on GitHub.
Describing the tool, the developers stated that “Package Analysis” will help the open-source community in promptly detecting malicious packages.
The goal is… to work together and provide extensible, community-run infrastructure to study the behavior of open source packages and to look for malicious software. We also hope that the components can be used independently, to provide package feeds or runtime behavior data for anyone interested.
Regarding the tool’s structure, it basically comprises three different components.
- Scheduler: creates the job for the analysis worker.
- Analysis: runs static and dynamic analysis of each package and gathers package behavior data
- Loader: pushes the analysis results into BigQuery
Elaborating further on it in a separate blog post, OpenSSF officials stated that the tool has successfully detected over 200 malicious PyPI and npm packages during tests. Most of these include typosquatting and dependency confusion attacks.
Explaining how the tool works, the post states,
The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run? The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously.
The developers stated that the work on the development of this tool was in progress for a while. However, the recent incidents of malicious packages appearing on open source repositories made this tool much-needed for the community. They also welcome feedback and contributor participation in the project for improvements and performance enhancements.
Let us know your thoughts in the comments.