Volltext-Downloads (blau) und Frontdoor-Views (grau)

Towards Detection of Malicious Software Packages Through Code Reuse by Malevolent Actors

  • Trojanized software packages used in software supply chain attacks constitute an emerging threat. Unfortunately, there is still a lack of scalable approaches that allow automated and timely detection of malicious software packages and thus most detections are based on manual labor and expertise. However, it has been observed that most attack campaigns comprise multiple packages that share the same or similar malicious code. We leverage that fact to automatically reproduce manually identified clusters of known malicious packages that have been used in real world attacks, thus, reducing the need for expert knowledge and manual inspection. Our approach, AST Clustering using MCL to mimic Expertise (ACME), yields promising results with a 𝐹1 score of 0.99. Signatures are automatically generated based on characteristic code fragments from clusters and are subsequently used to scan the whole npm registry for unreported malicious packages. We are able to identify and report six malicious packages that have been removed from npm consequentially. Therefore, our approach can support the detection by reducing manual labor and hence may be employed by maintainers of package repositories to detect possible software supply chain attacks through trojanized software packages.

Download full text files

Export metadata

Additional Services

Search Google Scholar Check availability


Show usage statistics
Document Type:Conference Object
Author:Marc Ohm, Lukas Kempf, Felix Boes, Michael Meier
Parent Title (English):Wressnegger, Reinhardt et al. (Hg.): Sicherheit 2022 - Sicherheit, Schutz und Zuverlässigkeit. Konferenzband der 11. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 5.-8. April 2022 in Karlsruhe
Number of pages:13
First Page:35
Last Page:47
Publisher:Gesellschaft für Informatik e.V. (GI)
Place of publication:Bonn
Publishing Institution:Hochschule Bonn-Rhein-Sieg
Publication year:2022
Keyword:Abstract Syntax Tree; Malware; Markov Cluster Algorithm; Software Supply Chain
Departments, institutes and facilities:Fachbereich Informatik
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
Entry in this database:2023/02/21
Licence (German):License LogoCreative Commons - CC BY-SA - Namensnennung - Weitergabe unter gleichen Bedingungen 4.0 International