Litcius/Paper detail

What are weak links in the npm supply chain?

Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Thomas Brendan Murphy, Chandra Maddila, Laurie Williams

202273 citationsDOIOpen Access PDF

Abstract

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata.

Topics & Concepts

Supply chainVulnerability (computing)Computer scienceComputer securityMetadataSoftwareRisk analysis (engineering)BusinessWorld Wide WebOperating systemMarketingSoftware Engineering ResearchAdvanced Malware Detection TechniquesInformation and Cyber Security
What are weak links in the npm supply chain? | Litcius