The Open Source Security Foundation (OpenSSF) is attempting to tackle the issue of malicious open source software with a new repository that will aggregate reports of malicious packages.
“Currently, each open source package repository has its own approach to handling malicious packages. When a malicious package is reported by the community, it is common for the package repository’s security team to remove the package and its associated metadata. Unfortunately, these actions often occur without any public record. Discovering what malicious packages exist requires piecing together data from many disparate public sources, or through proprietary threat intelligence feeds,” Caleb Brown, senior software engineer on the Google Open Source Security Team and Jossef Harush Kadouri, head of software supply chain security at Checkmarx, wrote in a blog post.
The Malicious Packages repository acts as a public database where reports of malicious packages are stored.
OpenSSF believes that having a public repository of this information will “stop malicious dependencies from moving through CI/CD pipelines, refine detection engines, scan for and prevent usage in environments, or accelerate incident response,” Brown and Kadouri explained.
Reports are stored using the Open Source Vulnerability (OSV) format, which makes it easy to use with tools like osv.dev API, the osv-scanner tool, and deps.dev.
The project sources data from Checkmarx security, exports of malicious packages that are tracked by GitHub, and the Package Analysis project, which looks at behaviors, such as what files the package accesses, what addresses it connects to, and what commands it runs. This helps it determine whether a package is behaving in a malicious way. It also tracks changes in behavior over time, which can help identify previously safe packages that turned malicious at some point.