On the feasibility of detecting injections in malicious npm packages

Simone Scalco; Ranindya Paramitha; Duc Ly Vu; Fabio Massacci

doi:10.1145/3538969.3543815

On the feasibility of detecting injections in malicious npm packages

Simone Scalco, Ranindya Paramitha, Duc Ly Vu, Fabio Massacci

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE'21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.

Original language	English
Title of host publication	ARES '22
Subtitle of host publication	Proceedings of the 17th International Conference on Availability, Reliability and Security
Publisher	Association for Computing Machinery
Pages	1-8
Number of pages	8
ISBN (Electronic)	9781450396707
DOIs	https://doi.org/10.1145/3538969.3543815
Publication status	Published - Aug 2022
Event	17th International Conference on Availability, Reliability and Security, ARES 2022 - Vienna, Austria Duration: 23 Aug 2022 → 26 Aug 2022

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	17th International Conference on Availability, Reliability and Security, ARES 2022
Country/Territory	Austria
City	Vienna
Period	23/08/22 → 26/08/22

Bibliographical note

Funding Information:
This research was done while Duc-Ly Vu was with the University of Trento. This work has been partly supported by the European Union H2020 Program under the Grant 952647 (AssureMOSS - www. assuremoss.eu).

Publisher Copyright:
© 2022 ACM.

Funding

This research was done while Duc-Ly Vu was with the University of Trento. This work has been partly supported by the European Union H2020 Program under the Grant 952647 (AssureMOSS - www. assuremoss.eu).

Keywords

JavaScript
npm
Open source software
software supply chain

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1145/3538969.3543815

Persistent URL (handle)

Persistent link

Cite this

Scalco, S., Paramitha, R., Vu, D. L., & Massacci, F. (2022). On the feasibility of detecting injections in malicious npm packages. In ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security (pp. 1-8). Article 115 (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3538969.3543815

@inproceedings{f35cbcc95254487da9c553ca3e336ee8,

title = "On the feasibility of detecting injections in malicious npm packages",

abstract = "Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE'21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69\%. ",

keywords = "JavaScript, npm, Open source software, software supply chain",

author = "Simone Scalco and Ranindya Paramitha and Vu, \{Duc Ly\} and Fabio Massacci",

note = "Funding Information: This research was done while Duc-Ly Vu was with the University of Trento. This work has been partly supported by the European Union H2020 Program under the Grant 952647 (AssureMOSS - www. assuremoss.eu). Publisher Copyright: {\textcopyright} 2022 ACM.; 17th International Conference on Availability, Reliability and Security, ARES 2022 ; Conference date: 23-08-2022 Through 26-08-2022",

year = "2022",

month = aug,

doi = "10.1145/3538969.3543815",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "1--8",

booktitle = "ARES '22",

}

Scalco, S, Paramitha, R, Vu, DL & Massacci, F 2022, On the feasibility of detecting injections in malicious npm packages. in ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security., 115, ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 1-8, 17th International Conference on Availability, Reliability and Security, ARES 2022, Vienna, Austria, 23/08/22. https://doi.org/10.1145/3538969.3543815

On the feasibility of detecting injections in malicious npm packages. / Scalco, Simone; Paramitha, Ranindya; Vu, Duc Ly et al.
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security. Association for Computing Machinery, 2022. p. 1-8 115 (ACM International Conference Proceeding Series).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - On the feasibility of detecting injections in malicious npm packages

AU - Scalco, Simone

AU - Paramitha, Ranindya

AU - Vu, Duc Ly

AU - Massacci, Fabio

N1 - Funding Information: This research was done while Duc-Ly Vu was with the University of Trento. This work has been partly supported by the European Union H2020 Program under the Grant 952647 (AssureMOSS - www. assuremoss.eu). Publisher Copyright: © 2022 ACM.

PY - 2022/8

Y1 - 2022/8

N2 - Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE'21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.

AB - Open-source packages typically have their source code available on a source code repository (e.g., on GitHub), but developers prefer to use pre-built artifacts directly from the package repositories (such as npm for JavaScript). Between the source code and the distributed artifacts, there could be differences that pose security risks (e.g., attackers deploy malicious code during package installation) in the software supply chain. Existing package scanners focus on the entire artifact of a package to detect this kind of attacks. These procedures are not only time consuming, but also generate high irrelevant alerts (FPs). An approach called LastPyMile by Vu et al. (ESEC/FSE'21) has been shown to be effective in detecting discrepancies and reducing false alerts in vetting Python packages on PyPI by focusing only on the differences between the source and the package. In this work, we propose to port that approach to scan JavaScript packages in the npm ecosystem. We presented a preliminary evaluation of our implementation on a set of real malicious npm packages and the top popular packages. The results show that while being 20.7x faster than git-log approach, our approach managed to reduce the percentage of false alerts produced by package scanner by 69%.

KW - JavaScript

KW - npm

KW - Open source software

KW - software supply chain

UR - https://www.scopus.com/pages/publications/85136981867

UR - https://www.scopus.com/inward/citedby.url?scp=85136981867&partnerID=8YFLogxK

U2 - 10.1145/3538969.3543815

DO - 10.1145/3538969.3543815

M3 - Conference contribution

AN - SCOPUS:85136981867

T3 - ACM International Conference Proceeding Series

SP - 1

EP - 8

BT - ARES '22

PB - Association for Computing Machinery

T2 - 17th International Conference on Availability, Reliability and Security, ARES 2022

Y2 - 23 August 2022 through 26 August 2022

ER -

On the feasibility of detecting injections in malicious npm packages

Abstract

Publication series

Conference

Bibliographical note

Funding

Keywords

UN SDGs

Access to Document

Persistent URL (handle)

Other files and links

Fingerprint

Cite this