Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. 

The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation’s Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it. 

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” Caleb Brown of Google’s Open Source Security Team explains in a blogpost.  

Open Source

“Despite open-source software’s essential role in all software

Read More: