Sok: Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
What are weak links in the npm supply chain?
N Zahan, T Zimmermann, P Godefroid… - Proceedings of the 44th …, 2022 - dl.acm.org
Modern software development frequently uses third-party packages, raising the concern of
supply chain security attacks. Many attackers target popular package managers, like npm …
supply chain security attacks. Many attackers target popular package managers, like npm …
Practical automated detection of malicious npm packages
The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
Lastpymile: identifying the discrepancy between sources and packages
Open source packages have source code available on repositories for inspection (eg on
GitHub) but developers use pre-built packages directly from the package repositories (such …
GitHub) but developers use pre-built packages directly from the package repositories (such …
Software supply chain: review of attacks, risk assessment strategies and security controls
The software product is a source of cyber-attacks that target organizations by using their
software supply chain as a distribution vector. As the reliance of software projects on open …
software supply chain as a distribution vector. As the reliance of software projects on open …
Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications
J Rack, CA Staicu - Proceedings of the 2023 ACM SIGSAC Conference …, 2023 - dl.acm.org
In recent years, we have seen an increased interest in studying the software supply chain of
user-facing applications to uncover problematic third-party dependencies. Prior work shows …
user-facing applications to uncover problematic third-party dependencies. Prior work shows …
Dependency-Induced Waste in Continuous Integration: An Empirical Study of Unused Dependencies in the npm Ecosystem
Modern software systems are increasingly dependent upon code from external packages
(ie, dependencies). Building upon external packages allows software reuse to span across …
(ie, dependencies). Building upon external packages allows software reuse to span across …
Systematic literature review of the trust reinforcement mechanisms exist in package ecosystems
We conducted a thorough SLR to better grasp the challenges and possible solutions
associated with existing npm security tools. Our goal was to delve into documented …
associated with existing npm security tools. Our goal was to delve into documented …
On the feasibility of detecting injections in malicious npm packages
Open-source packages typically have their source code available on a source code
repository (eg, on GitHub), but developers prefer to use pre-built artifacts directly from the …
repository (eg, on GitHub), but developers prefer to use pre-built artifacts directly from the …