Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google
1 min read
May 05, 2022
The Google and OpenSSF Package Analysis project aims to reduce security risks created by developers' crazy package-updating schedules.
Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects.
The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation's Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it.
Related Articles
1 - 0 min read
Malicious Python Projects Targeting Linux, Windows Systems
1 - 0 min read
8220 Hacker Group Attacking Windows & Linux Web Servers
1 - 0 min read
Akira Ransomware Mutates to Target Linux Systems, Adds TTPs
