English
Related papers

Related papers: Maven-Hijack: Software Supply Chain Attack Exploit…

200 papers

Modern software projects depend on many third-party libraries, complicating reproducible and secure builds. Several package managers address this with the generation of a lockfile that freezes dependency versions and can be used to verify…

Software Engineering · Computer Science 2025-10-07 Larissa Schmid , Elias Lundell , Yogya Gamage , Benoit Baudry , Martin Monperrus

Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect…

Cryptography and Security · Computer Science 2022-10-11 Piergiorgio Ladisa , Henrik Plate , Matias Martinez , Olivier Barais , Serena Elisa Ponta

Software ecosystems rely on centralized package registries, such as Maven, to enable code reuse and collaboration. However, the interconnected nature of these ecosystems amplifies the risks posed by security vulnerabilities in direct and…

Software Engineering · Computer Science 2025-02-18 Corey Yang-Smith , Ahmad Abdellatif

A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the…

Cryptography and Security · Computer Science 2020-05-20 Marc Ohm , Henrik Plate , Arnold Sykosch , Michael Meier

Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is…

Cryptography and Security · Computer Science 2024-07-02 Aman Sharma , Martin Wittlinger , Benoit Baudry , Martin Monperrus

Rebuilding packages from open source is a common practice to improve the security of software supply chains, and is now done at an industrial scale. The basic principle is to acquire the source code used to build a package published in a…

Software Engineering · Computer Science 2026-02-24 Jens Dietrich , Behnaz Hassanshahi

This study investigates vulnerabilities within the Maven ecosystem by analyzing a comprehensive dataset of 14,459,139 releases. Our analysis reveals the most critical weaknesses that pose significant threats to developers and their projects…

Software Engineering · Computer Science 2025-03-31 Costain Nachuma , Md Mosharaf Hossan , Asif Kamal Turzo , Minhaz F. Zibran

Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an…

Software Engineering · Computer Science 2023-01-20 Amir M. Mir , Mehdi Keshani , Sebastian Proksch

The Log4j-Core vulnerability, known as Log4Shell, exposed significant challenges to dependency management in software ecosystems. When a critical vulnerability is disclosed, it is imperative that dependent packages quickly adopt patched…

The widespread dependency on open-source software makes it a fruitful target for malicious actors, as demonstrated by recurring attacks. The complexity of today's open-source supply chains results in a significant attack surface, giving…

Cryptography and Security · Computer Science 2023-07-19 Piergiorgio Ladisa , Henrik Plate , Matias Martinez , Olivier Barais

The liberalization of software licensing has led to unprecedented re-use of software. Alongside drastically increasing productivity and arguably quality of derivative works, it has also introduced multiple attack vectors. The management of…

Software Engineering · Computer Science 2023-02-20 Aarnav M. Bos

In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain…

Cryptography and Security · Computer Science 2025-09-05 Carmine Cesarano , Vivi Andersson , Roberto Natella , Martin Monperrus

The widespread use of package managers like Maven has accelerated software development but has also introduced significant security risks due to vulnerabilities in dependencies. In this study, we analyze the prevalence and impact of…

Software Engineering · Computer Science 2025-04-08 Ehtisham Ul Haq , Song Wang , Robert S. Allison

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., npm, PyPI) serve as public databases that users can query to…

Cryptography and Security · Computer Science 2023-10-09 Piergiorgio Ladisa , Merve Sahin , Serena Elisa Ponta , Marco Rosa , Matias Martinez , Olivier Barais

We study the evolution and impact of bloated dependencies in a single software ecosystem: Java/Maven. Bloated dependencies are third-party libraries that are packaged in the application binary but are not needed to run the application. We…

Software Engineering · Computer Science 2021-06-01 César Soto-Valero , Thomas Durieux , Benoit Baudry

Despite its obvious benefits, the increased adoption of package managers to automate the reuse of libraries has opened the door to a new class of hazards: supply chain attacks. By injecting malicious code in one library, an attacker may…

Software Engineering · Computer Science 2021-11-08 Nicolas Harrand , Thomas Durieux , David Broman , Benoit Baudry

Java deserialization gadget chains are a well-researched critical software weakness. The vast majority of known gadget chains rely on gadgets from software dependencies. Furthermore, it has been shown that small code changes in dependencies…

Cryptography and Security · Computer Science 2025-04-30 Bruno Kreyssig , Sabine Houy , Timothée Riom , Alexandre Bartel

Recent high-profile incidents in open-source software have greatly raised practitioner attention on software supply chain attacks. To guard against potential malicious package updates, security practitioners advocate pinning dependency to…

Software Engineering · Computer Science 2025-02-11 Hao He , Bogdan Vasilescu , Christian Kästner

Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of…

Software Engineering · Computer Science 2023-10-11 Jens Dietrich , Shawn Rasheed , Alexander Jordan , Tim White

Protecting software supply chains from malicious packages is paramount in the evolving landscape of software development. Attacks on the software supply chain involve attackers injecting harmful software into commonly used packages or…

Cryptography and Security · Computer Science 2024-02-13 S. Halder , M. Bewong , A. Mahboubi , Y. Jiang , R. Islam , Z. Islam , R. Ip , E. Ahmed , G. Ramachandran , A. Babar
‹ Prev 1 2 3 10 Next ›