OpenSSF's Package Analysis:
It’s far too easy today for anybody to upload a malicious package to a package repository and we’ve seen countless instances of malicious packages, typosquatting, and dependency confusion in the past. What do we do about this?
The Package Analysis project is open source scalable infrastructure that automatically monitors and collects signals on every package that is uploaded to package ecosystems such as NPM and PyPI. We are building this project as part of the OpenSSF effort and it has already found hundreds of malicious packages in NPM and PyPI.
This talk outlines how the infrastructure works and how dynamic analysis is performed by intercepting system calls and network traffic. We will cover some interesting cases discovered in the wild and common patterns we’ve seen. Lastly we'll talk about future extensions to the analysis to catch more malicious packages and make consuming open source packages safer for everyone.
Caleb is a Senior Software Engineer working for Google's Open Source Security Team. He is currently focused on finding critical projects, and analysing the behaviour of OSS packages at scale.