English
Related papers

Related papers: Malicious Package Detection using Metadata Informa…

200 papers

Background: The Node Package Manager (npm) ecosystem plays a vital role in modern software development by providing a vast repository of packages and tools that developers can use to implement their software systems. However, recent…

Software Engineering · Computer Science 2026-01-29 Anthony Peruma , Truman Choy , Gerald Lee , Italo De Oliveira Santos

Software supply chain attacks targeting the npm ecosystem have become increasingly sophisticated, leveraging obfuscation and complex logic to evade traditional detection mechanisms. Recently, large language models (LLMs) have attracted…

Cryptography and Security · Computer Science 2026-01-13 Dang-Khoa Nguyen , Gia-Thang Ho , Quang-Minh Pham , Tuyet A. Dang-Thi , Minh-Khanh Vu , Thanh-Cong Nguyen , Phat T. Tran-Truong , Duc-Ly Vu

Selecting third-party software packages in open-source ecosystems like Python is challenging due to the large number of alternatives and limited transparent evidence for comparison. Generative AI tools are increasingly used in development…

Malicious software threats and their detection have been gaining importance as a subdomain of information security due to the expansion of ICT applications in daily settings. A major challenge in designing and developing anti-malware…

Cryptography and Security · Computer Science 2021-01-15 Cengiz Acarturk , Melih Sirlanci , Pinar Gurkan Balikcioglu , Deniz Demirci , Nazenin Sahin , Ozge Acar Kucuk

Trojanized software packages used in software supply chain attacks constitute an emerging threat. Unfortunately, there is still a lack of scalable approaches that allow automated and timely detection of malicious software packages and thus…

Cryptography and Security · Computer Science 2021-03-22 Marc Ohm , Lukas Kempf , Felix Boes , Michael Meier

Open-source software serves as a foundation for the internet and the cyber supply chain, but its exploitation is becoming increasingly prevalent. While advances in vulnerability detection for OSS have been significant, prior research has…

Cryptography and Security · Computer Science 2024-12-02 Zhuoran Tan , Christos Anagnosstopoulos , Jeremy Singer

The large amount of third-party packages available in fast-moving software ecosystems, such as Node.js/npm, enables attackers to compromise applications by pushing malicious updates to their package dependencies. Studying the npm…

Cryptography and Security · Computer Science 2021-03-11 Gabriel Ferreira , Limin Jia , Joshua Sunshine , Christian Kästner

The security of open-source software repositories is increasingly threatened by next-gen software supply chain attacks. These attacks include multiphase malware execution, remote access activation, and dynamic payload generation.…

Cryptography and Security · Computer Science 2026-04-30 Sk Tanzir Mehedi , Raja Jurdak , Chadni Islam , Abu Bakar Siddique Mahi , Gowri Ramachandran

Malicious package detection has become a critical task in ensuring the security and stability of the PyPI. Existing detection approaches have focused on advancing model selection, evolving from traditional machine learning (ML) models to…

Cryptography and Security · Computer Science 2025-06-18 Xingan Gao , Xiaobing Sun , Sicong Cao , Kaifeng Huang , Di Wu , Xiaolei Liu , Xingwei Lin , Yang Xiang

The increasingly sophisticated environment in which attackers operate makes software security an even greater challenge in open-source projects, where malicious packages are prevalent. Static analysis tools, such as Malcontent, are highly…

Cryptography and Security · Computer Science 2026-01-27 Duc-Ly Vu , Thanh-Cong Nguyen , Minh-Khanh Vu , Ngoc-Thanh Nguyen , Kim-Anh Do Thi

Maliciously prepared software packages are an extensively leveraged weapon for software supply chain attacks. The detection of malicious packages is undoubtedly of high priority and many academic and commercial approaches have been…

Cryptography and Security · Computer Science 2025-05-13 Marc Ohm , Timo Pohl , Felix Boes

Open-source ecosystems such as NPM and PyPI are increasingly targeted by supply chain attacks, yet existing detection methods either depend on fragile handcrafted rules or data-driven features that fail to capture evolving attack semantics.…

Software Engineering · Computer Science 2026-01-26 Wenbo Guo , Shiwen Song , Jiaxun Guo , Zhengzi Xu , Chengwei Liu , Haoran Ou , Mengmeng Ge , Yang Liu

Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and…

Software Engineering · Computer Science 2023-10-13 Abbas Javan Jafari , Diego Elias Costa , Ahmad Abdellatif , Emad Shihab

A serious threat today is malicious executables. It is designed to damage computer system and some of them spread over network without the knowledge of the owner using the system. Two approaches have been derived for it i.e. Signature Based…

Cryptography and Security · Computer Science 2013-08-14 Usukhbayar Baldangombo , Nyamjav Jambaljav , Shi-Jinn Horng

The exponential growth of open-source package ecosystems, particularly NPM and PyPI, has led to an alarming increase in software supply chain poisoning attacks. Existing static analysis methods struggle with high false positive rates and…

Cryptography and Security · Computer Science 2024-09-17 Xinyi Zheng , Chen Wei , Shenao Wang , Yanjie Zhao , Peiming Gao , Yuanchao Zhang , Kailong Wang , Haoyu Wang

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., npm, PyPI) serve as public databases that users can query to…

Cryptography and Security · Computer Science 2023-10-09 Piergiorgio Ladisa , Merve Sahin , Serena Elisa Ponta , Marco Rosa , Matias Martinez , Olivier Barais

With the continuous rise of malicious campaigns and the exploitation of new attack vectors, it is necessary to assess the efficacy of the defensive mechanisms used to detect them. To this end, the contribution of our work is twofold. First,…

Cryptography and Security · Computer Science 2021-05-04 Vasilios Koutsokostas , Constantinos Patsakis

Modern software systems heavily rely on third-party dependencies, making software supply chain security a critical concern. We introduce the concept of software supply chain smells as structural indicators that signal potential security…

Software Engineering · Computer Science 2026-03-31 Larissa Schmid , Diogo Gaspar , Raphina Liu , Sofia Bobadilla , Benoit Baudry , Martin Monperrus

In the digitized world, smartphones and their apps play an important role. To name just a few examples, some apps offer possibilities for entertainment, others for online banking, and others offer support for two-factor authentication.…

Cryptography and Security · Computer Science 2023-07-18 Alexander Hefter , Christoph Sendner , Alexandra Dmitrienko

Software developers typically rely upon a large network of dependencies to build their applications. For instance, the NPM package repository contains over 3 million packages and serves tens of billions of downloads weekly. Understanding…

Software Engineering · Computer Science 2023-08-25 Donald Pinckney , Federico Cassano , Arjun Guha , Jonathan Bell