The Open Source Security Foundation (OpenSSF), a collective of industry leaders aimed at improving the security of open-source software (OSS), recently announced the release of a prototype tool that scans for malicious packages in open source repositories. This tool, conveniently called Package Analysis, analyzed and identified at least 200 malicious packages uploaded to PyPI (The Python Package Index) and npm after a month of analysis.

Many have embraced open source for the fun and exciting ways of using it. Organizations of all sizes and industries rely on them for their day-to-day tasks, including critical ones. But because OSS requires people and businesses—sometimes, governments—to trust software developers unquestioningly, open source is susceptible to several risks, including exploitation.

Caleb Brown, who is part of Google’s Open Source Security Team and OpenSSF’s Securing Critical Projects Working Group, recognizes the considerable role open source plays in the software world and how “it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said.

Several open source projects have been the subject of malware incidents. One was found to contain a cryptominer, and some have been hijacked to include malware. And in the most recent incident, some open source developers decided to take a stand against Russia’s invasion of Ukraine. To everyone’s dismay, the protestware also contained a wiper feature designed to destroy all files on systems geolocated in Russia or Belarus.

The Package Analysis project

Package Analysis doesn’t only answer essential “what” questions about a package—”what files does it access, what addresses does it connect to, and what commands does it run?”—but also looks at its behavior over time. This is to alert people when a usually safe package starts to act suspiciously.

“Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute,” Brown said. “As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users.”

Package Analysis performs dynamic analysis of all packages uploaded to known OSS repositories and records results in a table in BigQuery, Google’s cloud warehouse. The scanning tool alerts OSS users of malicious changes to packages they use before they download them. Overall, this secures the software supply chain.

It’s no surprise to see Google supporting the project, describing it as “a welcome step toward helping secure the open source packages we all depend on.”

OpenSSF invites anyone interested to get involved in the project. Here is a wishlist of future goals for the project:

  • Detecting differences in package behavior over time
  • Automating the processing of the Package Analysis results
  • Storing the packages themselves as they are processed for long-term analysis
  • Improving the reliability of the pipeline

If you secure open source, you secure a supply chain

Google has been aiming to secure open source to protect its developers and users for a while now.

In 2021, the company invested in a project to evaluate Rust, a favorite programming language among programmers, as a supporting language for further developing the Linux kernel. As we all know, Android is built on the Linux kernel. The project’s goal was not to replace the entire Linux code but to improve parts of it using code written in Rust.

The company believes that Rust would “help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics.”

Google also proposed an end-to-end framework to maintain the integrity of the supply chain. Dubbed Supply chain Levels for Software Artifacts (SLSA, pronounced “Salsa”), it is designed to protect the source and build integrities of open source. It also aims to provide users with information on whether a package meets a certain standard based on source, build, provenance, and security aspects.

This way, users are empowered to make informed choices on the security posture of software they heavily rely on.