The Open Source Security Foundation (OpenSSF) has announced the launch of a new ‘Malicious Packages Repository’ which aims to provide information and alerts on the spread of malware.
The repository is the first open source platform specifically designed to collect and publish ecosystem reports of malicious packages being used in the wild.
Long-term, OpenSSF believes the repository could nurture closer cross-ecosystem alignment of trending threats and play a crucial role in curbing malware.
A ‘malicious package’ is a type of malware delivered as an open source package and typically published to package repositories such as PyPI or NPM. Threat actors often use them to attack organizations using open source software.
“These packages can be used for attacks such as gaining unauthorized access, leaking private information, consuming computing resources, or even destroying or damaging data,” according to the foundation. “These attack flows are not prevented by most endpoint antivirus software.”
OpenSSF said it’s launching this repository in direct response to the “rising incidence of attacks” that include malicious open source packages.
Earlier this year, the Lazarus Group was observed targeting the blockchain and cryptocurrency sectors using npm packages to compromise software supply chains.
The foundation said such comprehensive intelligence sharing as this could have played a critical role in alerting the open source community in the early stages of the campaign.
“A centralized repository for shared intelligence could have alerted the community to the attack sooner and helped the open source community understand the complete range of threats,” the foundation said in its announcement blog post.
“Our hope is for the malicious packages repository to be this kind of resource.”
Henrik Plate, security researcher at application security startup, Endor Labs, welcomed the move as a positive step toward tracking malware distribution across the open source ecosystem.
“For academic researchers, in particular, it offers a nice opportunity to explore and test new approaches to malware detection without being required to redo the basic plumbing over and over again, for example, the monitoring of new package publications on various package registries like PyPI or npm.”
How the OpenSSF malicious packages repository works
A key objective of the repository is tackling traditional weaknesses in reporting malicious packages, according to OpenSSF.
At present, each repository has its “own approach” to handling the issue, it added. When members of the community report issues, packages are typically removed by teams responsible for handling security issues.
But OpenSSF noted these instances “often occur without any public record”, which creates a disparate overview of the threat landscape for the open source community.
Discover what you can gain from using an integrated threat intelligence platform
With this mind, OpenSSF said it aims to “fill the data gap” by creating an open public database that aggregates reports from across the community.
“This database has the potential to stop malicious dependencies from moving through CI/CD pipelines, refine detection engines, scan for and prevent usage in environments, or accelerate incident response,” the foundation said.
Reports in the repository will use the Open Source Vulnerability (OSV) format, which is already used for highlighting vulnerabilities in open source projects.
Using this format will create a more streamlined and integrated approach to reporting malicious packages, OpenSSF added.
“By using the OSV format for malicious packages, it is possible to make use of existing integrations, including the osv.dev API, the osv-scanner tool, and deps.dev,” it said. “The OSV format is also extensible, allowing additional data to be recorded like indicators of compromise, or classification data.”
Plate said the decision to use the OSV format makes sense in terms of ease of use for the open source community.
“Malicious package reports from the project were already part of the Open Source Vulnerability (OSV) database for some time,” he continued.
“The integration was easy due the choice of the OSV format, which was probably the reason for using this reporting format in the first place.
“This makes it possible for developers to look up malicious packages, and will allow tool vendors in this space to include this data in their feeds.”
