of Open Source Security Foundation (OpenSSF) is trying to tackle the problem of malicious open source software with a new repository that aggregates reports of malicious packages.
“Currently, each open source package repository has its own approach to handling malicious packages. When a malicious package is reported by the community, the package repository’s security team takes action against the package and its associated metadata. Deleting data is common. Unfortunately, these actions often occur without public record. To discover what malicious packages are present, there are many data from disparate public sources or through proprietary threat intelligence feeds,” said Caleb Brown, senior software engineer on Google’s open source security team, and Jossef, head of software supply chain security at Checkmarx. Harash Kadouri said:wrote on blog post.
of Malicious package repository Acts as a public database where reports of malicious packages are stored.
OpenSSF says that a public repository of this information would help us “stop malicious dependencies from passing through our CI/CD pipelines, improve our detection engines, scan and prevent their use in our environments, and… or speed up incident response,” explained Brown and Kadouri.
Reports are saved using the Open Source Vulnerability (OSV) format, making them easy to use with tools such as the osv.dev API, the osv-scanner tool, and deps.dev.
This project supports Checkmarx Security, exporting malicious packages tracked by GitHub, and package analysis project, examine the behavior of the package, including the files it accesses, the addresses it connects to, and the commands it executes. This can help determine if a package is behaving in a malicious way. It also tracks changes in behavior over time, which can help identify whether a package was previously safe but turned malicious at some point.