Google touts new tool that scans for malicious packages in popular open-source repositories

The Open Source Security Foundation (OpenSSF) announced the creation of a tool that can be used to scan popular open-source repositories for malicious packages. 

The Package Analysis project was touted by Google, which is a member of OpenSSF and has worked closely with the foundation on a variety of security-related projects. 

The program performs dynamic analysis of all packages uploaded to popular open-source repositories and catalogs the results in a BigQuery table, according to Google senior software engineer Caleb Brown. 

Brown explained that despite open-source software's essential role in technology today, it is still far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said. 

“As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.”

Brown added that by detecting malicious activities and alerting consumers to suspicious behavior before they select packages, the program “contributes to a more secure software supply chain and greater trust in open source software.”

Over the past two years, researchers have uncovered hundreds of malicious packages in popular repositories, prompting efforts by tech leaders to address the issue. 

Brown said the space continues to grow significantly and “having an open standard for reporting would help centralize analysis results and offer consumers a trusted place to assess the packages they’re considering using.” 

An open standard "should also foster healthy competition, promote integration, and raise the overall security of open source packages,” Brown said. 

The program also provides researchers with insights into what kinds of malicious packages are most popular at any given time.

“Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences."

OpenSSF was created in 2020 by big tech firms in order to help steer, guide, and share open-source security tools.

Besides Google, the OpenSSF member list also includes GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung and many more.