The Open Source Security Foundation (OpenSSF) has announced the launch of a new ‘Malicious Packages Repository’ which aims to provide information and alerts on the spread of malware.
The repository is the first open source platform specifically designed to collect and publish ecosystem reports of malicious packages being used in the wild.
Long-term, OpenSSF believes the repository could nurture closer cross-ecosystem alignment of trending threats and play a crucial role in curbing malware.
A ‘malicious package’ is a type of malware delivered as an open source package and typically published to package repositories such as PyPI or NPM. Threat actors often use them to attack organizations using open source software.
“These packages can be used for attacks such as gaining unauthorized access, leaking private information, consuming computing resources, or even destroying or damaging data,” according to the foundation. “These attack flows are not prevented by most endpoint antivirus software.”
OpenSSF said it’s launching this repository in direct response to the “rising incidence of attacks” that include malicious open source packages.
The foundation said such comprehensive intelligence sharing as this could have played a critical role in alerting the open source community in the early stages of the campaign.
“A centralized repository for shared intelligence could have alerted the community to the attack sooner and helped the open source community understand the complete range of threats,” the foundation said in its announcement blog post.
“Our hope is for the malicious packages repository to be this kind of resource.”
Henrik Plate, security researcher at application security startup, Endor Labs, welcomed the move as a positive step toward tracking malware distribution across the open source ecosystem.
“For academic researchers, in particular, it offers a nice opportunity to explore and test new approaches to malware detection without being required to redo the basic plumbing over and over again, for example, the monitoring of new package publications on various package registries like PyPI or npm.”
How the OpenSSF malicious packages repository works
A key objective of the repository is tackling traditional weaknesses in reporting malicious packages, according to OpenSSF.
At present, each repository has its “own approach” to handling the issue, it added. When members of the community report issues, packages are typically removed by teams responsible for handling security issues.
But OpenSSF noted these instances “often occur without any public record”, which creates a disparate overview of the threat landscape for the open source community.
Discover what you can gain from using an integrated threat intelligence platform
With this mind, OpenSSF said it aims to “fill the data gap” by creating an open public database that aggregates reports from across the community.
“This database has the potential to stop malicious dependencies from moving through CI/CD pipelines, refine detection engines, scan for and prevent usage in environments, or accelerate incident response,” the foundation said.
Reports in the repository will use the Open Source Vulnerability (OSV) format, which is already used for highlighting vulnerabilities in open source projects.
Using this format will create a more streamlined and integrated approach to reporting malicious packages, OpenSSF added.
“By using the OSV format for malicious packages, it is possible to make use of existing integrations, including the osv.dev API, the osv-scanner tool, and deps.dev,” it said. “The OSV format is also extensible, allowing additional data to be recorded like indicators of compromise, or classification data.”
Plate said the decision to use the OSV format makes sense in terms of ease of use for the open source community.
“Malicious package reports from the project were already part of the Open Source Vulnerability (OSV) database for some time,” he continued.
“The integration was easy due the choice of the OSV format, which was probably the reason for using this reporting format in the first place.
“This makes it possible for developers to look up malicious packages, and will allow tool vendors in this space to include this data in their feeds.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.