(Translated by https://www.hiragana.jp/)
[2307.09087] The Hitchhiker's Guide to Malicious Third-Party Dependencies
Skip to main content
We gratefully acknowledge support from the Simons Foundation, member institutions, and all contributors. Donate
arXiv logo
Cornell University Logo

Computer Science > Cryptography and Security

arXiv:2307.09087 (cs)
[Submitted on 18 Jul 2023 (v1), last revised 6 Oct 2023 (this version, v3)]

Title:The Hitchhiker's Guide to Malicious Third-Party Dependencies

Authors:Piergiorgio Ladisa, Merve Sahin, Serena Elisa Ponta, Marco Rosa, Matias Martinez, Olivier Barais
View PDF
Abstract:The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., npm, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, whereas package managers automatically handle dependency resolution and package installation on the client side. These mechanisms enhance software modularization and accelerate implementation. However, they have become a target for malicious actors seeking to propagate malware on a large scale.
In this work, we show how attackers can leverage capabilities of popular package managers and languages to achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain attacks. Based on the analysis of 7 ecosystems, we identify 3 install-time and 4 runtime techniques, and we provide recommendations describing how to reduce the risk when consuming third-party dependencies. We will provide proof-of-concepts that demonstrate the identified techniques. Furthermore, we describe evasion strategies employed by attackers to circumvent detection mechanisms.
Comments: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '23), November 30, 2023, Copenhagen, Denmark
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:2307.09087 [cs.CR]
  (or arXiv:2307.09087v3 [cs.CR] for this version)
  https://doi.org/10.48550/arXiv.2307.09087
Related DOI: https://doi.org/10.1145/3605770.3625212

Submission history

From: Piergiorgio Ladisa [view email]
[v1] Tue, 18 Jul 2023 09:12:06 UTC (539 KB)
[v2] Fri, 29 Sep 2023 13:03:56 UTC (303 KB)
[v3] Fri, 6 Oct 2023 08:57:38 UTC (573 KB)
Full-text links:

Access Paper:

  • View PDF
  • TeX Source
  • Other Formats
license icon view license
Current browse context:
cs.CR
< prev   |   next >
new | recent | 2023-07
Change to browse by:
cs

References & Citations

export BibTeX citation

Bookmark

BibSonomy logo Reddit logo

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)

Code, Data and Media Associated with this Article

CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)

Demos

Replicate (What is Replicate?)
Hugging Face Spaces (What is Spaces?)
TXYZ.AI (What is TXYZ.AI?)

Recommenders and Search Tools

Influence Flower (What are Influence Flowers?)
Connected Papers (What is Connected Papers?)
CORE Recommender (What is CORE?)

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)