Google and the OpenSSF present a tool for analyzing malicious open source repositories

(Illustration: Pixabay)

The Open Source Security Foundation (OpenSSF, attached to the Linux Foundation) announces the creation of a tool for analyzing open source repositories to detect malicious additions. This project called Package Analysis is presented by Google, one of the OpenSSF members alongside Microsoft, AWS (Amazon cloud branch), GitHub, Canonical, Cisco, Meta (Facebook), Dell, Huawei, HP, Intel, Tencent, IBM, Red Hat, Spotify recently, Samsung and others.

“Too easy” for malicious actors

This program performs a dynamic analysis of packages downloaded from popular open source repositories, and compiles the results into a BigQuery table. For Caleb Brown, senior software engineer at Google, despite the essential role of open source software in technology today, it remains too easy for malicious actors to distribute harmful packages, which attack the systems, as well as the users of this software. “Unlike mobile app stores which can search for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and then must maintain an open model where everyone can contribute.”

Caleb Brown adds that by detecting harmful activity and warning consumers of suspicious behavior before they select packages, the program “contributes to a more secure software supply chain and greater trust in open source software.” source”.

200 malicious packages in one month

Google gives examples of what its program has detected in a month, about 200 malicious packages – many of which, low level, are attributed to cybersecurity researchers bounty hunters of the “bug bounty” type.

In the OpenSSF announcement, co-signed by Caleb Brown and David A. Wheeler, director of Open Source Supply Chain Security at the Linux Foundation, as part of the Securing Critical Projects Working Group Working Group”), invitation is extended to other contributors for future goals, which are to “detect differences in package behavior over time, automate processing of package analysis results, store them as as they are processed for long-term analysis, and improving the reliability of the software pipeline”.

Read also

Google will now warn you about suspicious files on the web – April 29, 2022

Google and Microsoft fund open source software security – February 13, 2022

Open Source Security Foundation: Bundle to Better Secure – August 4, 2020

Leave a Comment