English
Related papers

Related papers: Towards Measuring Supply Chain Attacks on Package …

200 papers

The package manager (PM) is crucial to most technology stacks, acting as a broker to ensure that a verified dependency package is correctly installed, configured, or removed from an application. Diversity in technology stacks has led to…

Software Engineering · Computer Science 2023-02-15 Syful Islam , Raula Gaikovina Kula , Christoph Treude , Bodin Chinthanet , Takashi Ishio , Kenichi Matsumoto

Software supply chain attacks have revealed blind spots in existing SCA tools, which are often limited to a single ecosystem and assess either software artifacts or community activity in isolation. This fragmentation across tools and…

Software Engineering · Computer Science 2025-12-02 Ziheng Liu , Runzhi He , Minghui Zhou

Language-based ecosystems (LBE), i.e., software ecosystems based on a single programming language, are very common. Examples include the npm ecosystem for JavaScript, and PyPI for Python. These environments encourage code reuse between…

Cryptography and Security · Computer Science 2021-12-01 Ruturaj K. Vaidya , Lorenzo De Carli , Drew Davidson , Vaibhav Rastogi

Open-source software (OSS) has become increasingly more popular across different domains. However, this rapid development and widespread adoption come with a security cost. The growing complexity and openness of OSS ecosystems have led to…

Cryptography and Security · Computer Science 2025-06-17 Seyed Ali Akhavani , Behzad Ousat , Amin Kharraz

Modern software supply chain attacks consist of introducing new, malicious capabilities into trusted third-party software components, in order to propagate to a victim through a package dependency chain. These attacks are especially…

Cryptography and Security · Computer Science 2025-05-21 Carmine Cesarano , Martin Monperrus , Roberto Natella

In modern software development workflows, the open-source software supply chain contributes significantly to efficient and convenient engineering practices. With increasing system complexity, using open-source software as third-party…

Software Engineering · Computer Science 2025-11-18 Zihe Yan , Kai Luo , Haoyu Yang , Yang Yu , Zhuosheng Zhang , Guancheng Li

Software developers typically rely upon a large network of dependencies to build their applications. For instance, the NPM package repository contains over 3 million packages and serves tens of billions of downloads weekly. Understanding…

Software Engineering · Computer Science 2023-08-25 Donald Pinckney , Federico Cassano , Arjun Guha , Jonathan Bell

SourceRank is a scoring system made of 18 metrics that assess the popularity and quality of open-source packages. Despite being used in several recent studies, none has thoroughly analyzed its reliability against evasion attacks aimed at…

Cryptography and Security · Computer Science 2026-01-01 Biagio Montaruli , Serena Elisa Ponta , Luca Compagna , Davide Balzarotti

While attackers often distribute malware to victims via open-source, community-driven package repositories, these repositories do not currently run automated malware detection systems. In this work, we explore the security goals of the…

Cryptography and Security · Computer Science 2023-09-19 Duc-Ly Vu , Zachary Newman , John Speed Meyers

Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and…

Software Engineering · Computer Science 2023-10-13 Abbas Javan Jafari , Diego Elias Costa , Ahmad Abdellatif , Emad Shihab

Large language models (LLMs) have developed rapidly in recent years, revolutionizing various fields. Despite their widespread success, LLMs heavily rely on external code dependencies from package management systems, creating a complex and…

Cryptography and Security · Computer Science 2025-09-01 Shuhan Liu , Xing Hu , Xin Xia , David Lo , Xiaohu Yang

The software supply chain involves a multitude of tools and processes that enable software developers to write, build, and ship applications. Recently, security compromises of tools or processes has led to a surge in proposals to address…

Cryptography and Security · Computer Science 2022-09-12 Marcela S. Melara , Mic Bowman

Package managers are legion. Every programming language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multilingual projects from expressing precise…

Programming Languages · Computer Science 2026-02-24 Ryan Gibb , Patrick Ferris , David Allsopp , Thomas Gazagnaire , Anil Madhavapeddy

The npm registry is one of the pillars of the JavaScript and TypeScript ecosystems, hosting over 1.7 million packages ranging from simple utility libraries to complex frameworks and entire applications. Due to the overwhelming popularity of…

Cryptography and Security · Computer Science 2022-03-01 Adriana Sejfia , Max Schäfer

Much of the success of modern software development can be attributed to code reuse. The ability to reuse existing functionality via third-party dependencies has enabled massive gains in productivity, but for a long time the dominant…

Software Engineering · Computer Science 2025-10-07 Brittany Anne Reid , Raula Gaikovina Kula

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing…

Software Engineering · Computer Science 2025-10-10 Bonan Ruan , Zhiwei Lin , Jiahao Liu , Chuqi Zhang , Kaihang Ji , Zhenkai Liang

PyPI provides a convenient and accessible package management platform to developers, enabling them to quickly implement specific functions and improve work efficiency. However, the rapid development of the PyPI ecosystem has led to a severe…

Software Engineering · Computer Science 2023-09-21 Wenbo Guo , Zhengzi Xu , Chengwei Liu , Cheng Huang , Yong Fang , Yang Liu

Software developers reuse third-party packages that are hosted in package registries. At build time, a package manager resolves and fetches the direct and indirect dependencies of a project. Most package managers also generate a lockfile,…

Software Engineering · Computer Science 2026-04-03 Yogya Gamage , Deepika Tiwari , Martin Monperrus , Benoit Baudry

The security of research software is essential for ensuring the integrity and reproducibility of scientific results. However, research software security is still largely unexplored. Due to its dependence on open source components and…

Software Engineering · Computer Science 2025-08-07 Richard Hegewald , Rebecca Beyer

The open-source software (OSS) ecosystem suffers from security threats caused by malware.However, OSS malware research has three limitations: a lack of high-quality datasets, a lack of malware diversity, and a lack of attack campaign…

Cryptography and Security · Computer Science 2025-04-18 Xiaoyan Zhou , Ying Zhang , Wenjia Niu , Jiqiang Liu , Haining Wang , Qiang Li