The increasingly sophisticated environment in which attackers operate makes software security an even greater challenge in open-source projects, where malicious packages are prevalent. Static analysis tools, such as Malcontent, are highly useful but are often incapable of dealing with obfuscated malware. Such situations lead to an unreasonably high rate of false positives. This paper highlights that dynamic analysis, rather than static analysis, provides greater insight but is also more resource-intensive for understanding software behaviour during execution. In this study, we enhance a dynamic analysis tool, package-analysis, to capture key runtime behaviours, including commands executed, files accessed, and network communications. This modification enables the use of container sandboxing technologies, such as gVisor, to analyse potentially malicious packages without significantly compromising the host system.
@article{arxiv.2511.09957,
title = {Pack-A-Mal: A Malware Analysis Framework for Open-Source Packages},
author = {Duc-Ly Vu and Thanh-Cong Nguyen and Minh-Khanh Vu and Ngoc-Thanh Nguyen and Kim-Anh Do Thi},
journal= {arXiv preprint arXiv:2511.09957},
year = {2026}
}
Comments
There was an error in the Case study: Malicious Solana web3.js Package. The actual number of downloads was 400,000 instead of 350,000