The Open Source Security Foundation today launched its Malicious Packages Repository, an open-source system for collecting and publishing cross-ecosystem reports of malicious packages.

Claimed to be the first open-source system of its type, the repository was created in response to the rising number of attacks that include malicious open-source packages. Malicious packages, in terms of what the repository tracks, are forms of malware that are delivered as an open-source package and published to a repository such as PyPI or NPM.

The packages vary from vulnerable code, which has weaknesses that can be exploited. By contrast, packages with malicious code are intentionally designed to harm or compromise potential victims. The packages are used to attack developers or companies that unwittingly install and run them and can be used for attacks such as gaining unauthorized access, leaking private information, consuming computing resources, or even destroying or damaging data.

One example of a malicious package given by the OpenSSF was the infamous North Korean-linked Lazarus gang targeting blockchain and cryptocurrency sectors by using deceptive npm packages to compromise various software supply chains. The foundation argues that a centralized repository for shared intelligence could have alerted the community to the attack sooner and helped the open-source community understand the complete range of threats. This is where the Malicious Packages Repository comes in.

The Malicious Packages Repository fills data gaps by creating a public database that aggregates reports of malicious packages discovered in open-source repositories. In doing so, the database can assist in stopping malicious dependencies from moving through continuous integration/ continuous delivery pipelines, refine detection engines, scan for and prevent usage in environments, or accelerate incident response.

Reports in the Malicious Packages Repository use the Open Source Vulnerability format. The OSV format for malicious packages can make use of existing integrations. The format is also extensible, allowing additional data to be recorded, such as indicators of compromise or classification of data.

Henrik Plate, security researcher at dependency lifecycle management startup Endor Labs Inc., told SiliconANGLE that “for academic researchers, in particular, it offers a nice opportunity to explore and test new approaches to malware detection without being required to redo the basic plumbing over and over again,” such as “the monitoring of new package publications on various package registries like PyPI or npm.”

“The database could also be an invaluable dataset for artificial intelligence and machine learning training, comparable to the Backstabber’s Knife Collection, if only they would also publish the actual malware,” Plate added. “I hope this is going to change in the future.”

Image: OpenSSF