Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks

: Ohm, M.; Plate, H.; Sykosch, A.; Meier, M.


Maurice, C.:
Detection of Intrusions and Malware, and Vulnerability Assessment. 17th International Conference, DIMVA 2020. Proceedings : Lisbon, Portugal, June 24-26, 2020
Cham: Springer Nature, 2020 (Lecture Notes in Computer Science 12223)
ISBN: 978-3-030-52682-5 (Print)
ISBN: 978-3-030-52683-2 (Online)
International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) <17, 2020, Online>
Conference Paper
Fraunhofer FKIE ()

A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. Even though many approaches for detection and discovery of vulnerable packages exist, no prior work has focused on malicious packages. This paper presents a dataset as well as analysis of 174 malicious software packages that were used in real-world attacks on open source software supply chains and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities.