English
Related papers

Related papers: Towards Measuring Supply Chain Attacks on Package …

200 papers

Command injection vulnerabilities are a significant security threat in dynamic languages like Python, particularly in widely used open-source projects where security issues can have extensive impact. With the proven effectiveness of Large…

Software Engineering · Computer Science 2025-05-22 Yuxuan Wang , Jingshu Chen , Qingyang Wang

This work discusses open-source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool "Risk Explorer for…

Cryptography and Security · Computer Science 2023-04-12 Piergiorgio Ladisa , Serena Elisa Ponta , Antonino Sabetta , Matias Martinez , Olivier Barais

Scripting languages are continuously gaining popularity due to their ease of use and the flourishing software ecosystems that surround them. These languages offer crash and memory safety by design, thus, developers do not need to understand…

Cryptography and Security · Computer Science 2023-02-06 Cristian-Alexandru Staicu , Sazzadur Rahaman , Ágnes Kiss , Michael Backes

The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages.…

Cryptography and Security · Computer Science 2019-06-10 Markus Zimmermann , Cristian-Alexandru Staicu , Cam Tenny , Michael Pradel

Open-source ecosystems such as NPM and PyPI are increasingly targeted by supply chain attacks, yet existing detection methods either depend on fragile handcrafted rules or data-driven features that fail to capture evolving attack semantics.…

Software Engineering · Computer Science 2026-01-26 Wenbo Guo , Shiwen Song , Jiaxun Guo , Zhengzi Xu , Chengwei Liu , Haoran Ou , Mengmeng Ge , Yang Liu

With their increasing capabilities, Large Language Models (LLMs) are now used across many industries. They have become useful tools for software engineers and support a wide range of development tasks. As LLMs are increasingly used in…

Machine Learning · Computer Science 2026-03-17 Marc Damie , Murat Bilgehan Ertan , Domenico Essoussi , Angela Makhanu , Gaëtan Peter , Roos Wensveen

While new technologies emerge, human errors always looming. Software supply chain is increasingly complex and intertwined, the security of a service has become paramount to ensuring the integrity of products, safeguarding data privacy, and…

Cryptography and Security · Computer Science 2025-01-22 Vasileios Alevizos , George A Papakostas , Akebu Simasiku , Dimitra Malliarou , Antonis Messinis , Sabrina Edralin , Clark Xu , Zongliang Yue

Malicious packages in public registries pose serious threats to software supply chain security. While current software component analysis (SCA) tools rely on databases like OSV and Snyk to detect these threats, these databases suffer from…

Software Engineering · Computer Science 2025-11-25 Wenbo Guo , Chengwei Liu , Limin Wang , Yiran Zhang , Jiahui Wu , Zhengzi Xu , Yang Liu

The management of third-party package dependencies is crucial to most technology stacks, with package managers acting as brokers to ensure that a verified package is correctly installed, configured, or removed from an application. Diversity…

Software Engineering · Computer Science 2021-08-16 Syful Islam , Raula Gaikovina Kula , Christoph Treude , Bodin Chinthanet , Takashi Ishio , Kenichi Matsumoto

The npm (Node Package Manager) ecosystem is the most important package manager for JavaScript development with millions of users. Consequently, a plethora of earlier work investigated how vulnerability reporting, patch propagation, and in…

Cryptography and Security · Computer Science 2025-06-10 Rajdeep Ghosh , Shiladitya De , Mainack Mondal

Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a…

Software Engineering · Computer Science 2024-05-10 Wachiraphan Charoenwet , Patanamon Thongtanunam , Van-Thuan Pham , Christoph Treude

Nearly every popular programming language comes with one or more package managers. The software packages distributed by such package managers form large software ecosystems. These packaging ecosystems contain a large number of package…

Software Engineering · Computer Science 2017-10-16 Alexandre Decan , Tom Mens , Philippe Grosjean

Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks…

Software Engineering · Computer Science 2025-09-08 Raphina Liu , Sofia Bobadilla , Benoit Baudry , Martin Monperrus

Open-source software serves as a foundation for the internet and the cyber supply chain, but its exploitation is becoming increasingly prevalent. While advances in vulnerability detection for OSS have been significant, prior research has…

Cryptography and Security · Computer Science 2024-12-02 Zhuoran Tan , Christos Anagnosstopoulos , Jeremy Singer

With the growing popularity of Large Language Models (LLMs) in software engineers' daily practices, it is important to ensure that the code generated by these tools is not only functionally correct but also free of vulnerabilities. Although…

Software Engineering · Computer Science 2024-09-06 Mohammed Latif Siddiq , Joanna C. S. Santos , Sajith Devareddy , Anna Muller

We conducted a thorough SLR to better grasp the challenges and possible solutions associated with existing npm security tools. Our goal was to delve into documented experiences and findings. Specifically, we were keen to learn about the…

Software Engineering · Computer Science 2024-07-04 Angel Temelko , Fang Hou , Siamak Farshidi , Slinger Jansen

Recently, the number of malicious open-source packages in package repositories has been increasing dramatically. While major security scanners focus on identifying known Common Vulnerabilities and Exposures (CVEs) in open-source packages,…

Cryptography and Security · Computer Science 2025-11-20 Thanh-Cong Nguyen , Ngoc-Thanh Nguyen , Van-Giau Ung , Duc-Ly Vu

With the popularity of software ecosystems, the number of open source components (known as packages) has grown rapidly. Identifying high-quality and well-maintained packages from a large pool of packages to depend on is a basic and…

Software Engineering · Computer Science 2022-04-12 Suhaib Mujahid , Rabe Abdalkareem , Emad Shihab

The number of people accessing online services is increasing day by day, and with new users, comes a greater need for effective and responsive cyber-security. Our goal in this study was to find out if there are common patterns within the…

Cryptography and Security · Computer Science 2024-05-15 Gábor Antal , Balázs Mosolygó , Norbert Vándor , Péter Hegedüs

Reusable software components, typically distributed as packages, are a central paradigm of modern software development. The JavaScript ecosystem serves as a prime example, offering millions of packages with their use being promoted as…

Software Engineering · Computer Science 2026-01-26 Ben Swierzy , Marc Ohm , Michael Meier