What are Weak Links in the npm Supply Chain?

  title={What are Weak Links in the npm Supply Chain?},
  author={Nusrat Zahan and Laurie A. Williams and Thomas Zimmermann and Patrice Godefroid and Brendan Murphy and Chandra Shekhar Maddila},
  journal={2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)},
  • N. ZahanL. Williams C. Maddila
  • Published 19 December 2021
  • Computer Science
  • 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)
Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and… 

Figures and Tables from this paper

Investigating Novel Approaches to Defend Software Supply Chain Attacks

This paper extensively review software supply chain security using software development tools and infrastructure, investigating the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack.

Taxonomy of Attacks on Open-Source Software Supply Chains

This work proposes a general taxonomy for attacks on open- source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution.

SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties

The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice, and highlights potential gaps in actor and operation-centered supply chain security techniques.

On the Discoverability of npm Vulnerabilities in Node.js Projects

A large-scale empirical study examining 6,546 Node.js applications finds that applications remain affected by public vulnerabilities for a long time and devise DepReveal, a tool that supports the discoverability analysis approach, to help developers better understand vulnerabilities in their application dependencies and plan their project maintenance.

On the feasibility of detecting injections in malicious npm packages

An approach called LastPyMile by Vu et al. (ESEC/FSE’21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI, and it is proposed to port that approach to scan JavaScript packages in the npm ecosystem.

PREPRINT: Do OpenSSF Scorecard Practices Contribute to Fewer Vulnerabilities?

—Due to the ever-increasing security breaches, prac- titioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO)

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

The goal of this study is to aid developers in securely accepting dependency updates by measuring if the code changes in an update have passed through a code review process, using Depdive, an update audit tool for packages in Crates.io, npm, PyPI, and RubyGems registry.

A Benchmark Comparison of Python Malware Detection Approaches

This work explores the security goals of the repository administrators and the requirements for deployments of such malware scanners via a case study of the Python ecosystem and PyPI repository, and evaluates existing malware detection techniques for deployment in this setting.

Phantom Artifacts & Code Review Coverage in Dependency Updates

The goal of this study is to aid developers in securely accepting dependency updates by measuring if the code changes in an update have passed through a code review process, and implement DepDive, an update audit tool for packages in Crates.io, npm, PyPI, and RubyGems registry.

In war and peace: the impact of world politics on software ecosystems

This paper shows three cases where world politics has had an impact on a software ecosystem, and how these incidents may result in either benign or malignant consequences, and concludes with a research agenda with ten research questions to guide future research directions.



Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

A comparative framework to qualitatively assess the functional and security features of package managers for interpreted languages is proposed and well-known program analysis techniques such as metadata, static, and dynamic analysis are applied to study registry abuse.

Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

This paper presents a dataset as well as analysis of 174 malicious software packages that were used in real-world attacks on open source software supply chains and which were distributed via the popular package repositories npm, PyPI, and RubyGems.

Small World with High Risks: A Study of Security Threats in the npm Ecosystem

Security risks for users of npm are studied by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues to provide evidence that npm suffers from single points of failure and that unmaintained packages threaten large code bases.

Secure open source collaboration: an empirical study of linus' law

This study examines the security of an open source project in the context of developer collaboration by analyzing version control logs and quantifying notions of Linus' Law as well as the "too many cooks in the kitchen" viewpoint into developer activity metrics.

Building secure software: how to avoid security problems the right way

This book defines a wide range of techniques which may be used for use case modeling, and gives the bnsinc~-oriented software analyst a variety of advanced approaches which also comply with the UML specification.

Security Issues in Language-based Sofware Ecosystems

It is argued that (i) fully automated detection of malicious packages is likely to be unfeasible; however (ii) tools and metrics that help developers assess the risk of including external dependencies would go a long way toward preventing attacks.

Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub

This work shows how to use only commit logs and repository metadata to automatically detect anomalous and potentially malicious commits and automatically computes several relevant factors, such as the modification of sensitive files, outlier change properties, or a lack of trust in the commit's author, from this data.

Containing Malicious Package Updates in npm with a Lightweight Permission System

A lightweight permission system is proposed that protects Node.js applications by enforcing package permissions at runtime and makes a large number of packages much harder to be exploited, almost for free.

The influence of organizational structure on software quality

This paper presents a metric scheme to quantify organizational complexity, in relation to the product development process to identify if the metrics impact failure-proneness, and provides empirical evidence that the organizational metrics are related to, and are effective predictors of failure- proneness.

Does distributed development affect software quality? An empirical case study of Windows Vista

Examining the overall development of Windows Vista and comparing the post-release failures of components that were developed in a distributed fashion with those that wereDeveloping by collocated teams found a negligible difference in failures.