Wolf at the Door
Elizabeth Wyss, Alexander Wittman, Drew Davidson, Lorenzo De Carli
2022Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security20 citationsDOIOpen Access PDF
Abstract
The npm software ecosystem allows developers to easily import code written by others. However, manual vetting of every individual installed component is made difficult in many cases by the number of transitive dependencies brought in by installing popular packages. This has enabled attackers to propagate malicious code by hiding it deep into the dependency chains of popular packages. A particularly dangerous form of attack comes from malicious code embedded into package install scripts.
Topics & Concepts
VettingComputer scienceScripting languageCode (set theory)Component (thermodynamics)InstallationComputer securityDependency (UML)SoftwareSoftware bugOperating systemProgramming languageSoftware engineeringThermodynamicsPhysicsSet (abstract data type)Advanced Malware Detection TechniquesSecurity and Verification in ComputingDigital and Cyber Forensics