Large language model supply chain: A research agenda

S Wang, Y Zhao, X Hou, H Wang - ACM Transactions on Software …, 2024 - dl.acm.org
The rapid advancement of large language models (LLMs) has revolutionized artificial
intelligence, introducing unprecedented capabilities in natural language processing and …

Sok: Taxonomy of attacks on open-source software supply chains

P Ladisa, H Plate, M Martinez… - 2023 IEEE Symposium …, 2023 - ieeexplore.ieee.org
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …

Blind backdoors in deep learning models

E Bagdasaryan, V Shmatikov - 30th USENIX Security Symposium …, 2021 - usenix.org
We investigate a new method for injecting backdoors into machine learning models, based
on compromising the loss-value computation in the model-training code. We use it to …

What are weak links in the npm supply chain?

N Zahan, T Zimmermann, P Godefroid… - Proceedings of the 44th …, 2022 - dl.acm.org
Modern software development frequently uses third-party packages, raising the concern of
supply chain security attacks. Many attackers target popular package managers, like npm …

A systematic literature review on trust in the software ecosystem

F Hou, S Jansen - Empirical Software Engineering, 2023 - Springer
The worldwide software ecosystem is a trust-rich part of the world. Throughout the software
life cycle, software engineers, end-users, and other stakeholders collaboratively place their …

Practical automated detection of malicious npm packages

A Sejfia, M Schäfer - Proceedings of the 44th International Conference …, 2022 - dl.acm.org
The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …

Silent spring: Prototype pollution leads to remote code execution in Node. js

M Shcherbakov, M Balliu, CA Staicu - 32nd USENIX Security Symposium …, 2023 - usenix.org
Prototype pollution is a dangerous vulnerability affecting prototype-based languages like
JavaScript and the Node. js platform. It refers to the ability of an attacker to inject properties …

The evolution of ransomware attacks in light of recent cyber threats. How can geopolitical conflicts influence the cyber climate?

F Teichmann, SR Boticiu, BS Sergi - International Cybersecurity Law …, 2023 - Springer
This article aims to analyze the current unpredictable cyber climate. In particular, Russia's
invasion of Ukraine has heightened concerns about security incidents, and ransomware …

Lastpymile: identifying the discrepancy between sources and packages

DL Vu, F Massacci, I Pashchenko, H Plate… - Proceedings of the 29th …, 2021 - dl.acm.org
Open source packages have source code available on repositories for inspection (eg on
GitHub) but developers use pre-built packages directly from the package repositories (such …

Taxonomy of attacks on open-source software supply chains

P Ladisa, H Plate, M Martinez, O Barais - arXiv preprint arXiv:2204.04008, 2022 - arxiv.org
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …