v1v2 (latest)

Small World with High Risks: A Study of Security Threats in the npm Ecosystem

25 February 2019

Markus Zimmermann

Cristian-Alexandru Staicu

Cam Tenny

Michael Pradel

ArXiv (abs)PDF HTML

Papers citing "Small World with High Risks: A Study of Security Threats in the npm Ecosystem"

50 / 52 papers shown

Title
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software Seyed Ali Akhavani Behzad Ousat Amin Kharraz 25 0 0 15 Jun 2025
PermRust: A Token-based Permission System for Rust Lukas Gehring Sebastian Rehms Florian Tschorsch 14 0 0 13 Jun 2025
PoCGen: Generating Proof-of-Concept Exploits for Vulnerabilities in Npm Packages Deniz Simsek Aryaz Eghbali Michael Pradel 98 0 0 05 Jun 2025
An Accurate and Efficient Vulnerability Propagation Analysis Framework Bonan Ruan Zhiwei Lin Jiahao Liu Chuqi Zhang Kaihang Ji Zhenkai Liang 64 0 0 02 Jun 2025
Securing the Software Package Supply Chain for Critical Systems Ritwik Murali Akash Ravi 29 0 0 28 May 2025
Automatically Generating Rules of Malicious Software Packages via Large Language Model XiangRui Zhang HaoYu Chen YongZhong He Wenjia Niu Qiang Li 74 0 0 24 Apr 2025
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack Piotr Przymus Thomas Durieux 33 1 0 24 Apr 2025
A Time Series Analysis of Malware Uploads to Programming Language Ecosystems Jukka Ruohonen Mubashrah Saddiqa 38 2 0 22 Apr 2025
ConfuGuard: Using Metadata to Detect Active and Stealthy Package Confusion Attacks Accurately and at Scale Wenxin Jiang Berk Çakar Mikola Lysenko James C. Davis 105 0 0 27 Feb 2025
4.5 Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Scams, and Malware Hao He Haoqin Yang Philipp Burckhardt A. Kapravelos Bogdan Vasilescu Christian Kastner 192 4 0 18 Dec 2024
Protect Your Secrets: Understanding and Measuring Data Exposure in VSCode Extensions Yue Liu Chakkrit Tantithamthavorn Li Li 100 0 0 01 Dec 2024
Dirty-Waters: Detecting Software Supply Chain Smells Raphina Liu Sofia Bobadilla Benoit Baudry Martin Monperrus 120 0 0 21 Oct 2024
Software Security Analysis in 2030 and Beyond: A Research Roadmap Marcel Böhme Eric Bodden Tevfik Bultan Cristian Cadar Yang Liu Giuseppe Scanniello 72 3 0 26 Sep 2024
Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models Ying Zhang Xiaoyan Zhou Hui Wen Wenjia Niu Jiqiang Liu Haining Wang Qiang Li 75 5 0 11 Jul 2024
SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties C. Okafor Taylor R. Schorlemmer Santiago Torres-Arias James C. Davis 106 46 0 14 Jun 2024
What do we know about Hugging Face? A systematic literature review and quantitative validation of qualitative claims Jason Jones Wenxin Jiang Nicholas Synovic George K. Thiruvathukal James C. Davis 107 5 0 12 Jun 2024
An Industry Interview Study of Software Signing for Supply Chain Security Kelechi G. Kalu Tanya Singla C. Okafor Santiago Torres-Arias James C. Davis 113 7 0 12 Jun 2024
We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs Joseph Spracklen Raveen Wijewickrama A. H. M. N. Sakib Anindya Maiti Murtuza Jadliwala Murtuza Jadliwala 170 13 0 12 Jun 2024
Turning the Tide on Dark Pools? Towards Multi-Stakeholder Vulnerability Notifications in the Ad-Tech Supply Chain Yash Vekaria Rishab Nithyanand Zubair Shafiq 38 1 0 11 Jun 2024
Chain of trust: Unraveling references among Common Criteria certified products Adam Janovsky Lukasz Chmielewski P. Švenda Jan Jancar Vashek Matyás 31 2 0 22 Apr 2024
DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping Cheng Huang Nannan Wang Ziteng Wang Siqi Sun Lingzi Li Junren Chen Qianchong Zhao Jiaxuan Han Zhen Yang Lei Shi Sichuan University 70 11 0 13 Mar 2024
Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors Taylor R. Schorlemmer Kelechi G. Kalu Luke Chigges Kyung Myung Ko Eman Abdul-Muhd Abu Isghair Saurabh Baghi Santiago Torres-Arias James C. Davis 99 11 0 26 Jan 2024
Why Not Mitigate Vulnerabilities in Helm Charts? Yihao Chen Jiahuei Lin Bram Adams Ahmed E. Hassan 43 0 0 23 Dec 2023
Naming Practices of Pre-Trained Models in Hugging Face Wenxin Jiang Chingwo Cheung Mingyu Kim Heesoo Kim George K. Thiruvathukal James C. Davis CVBM 62 6 0 02 Oct 2023
A Closer Look at the Security Risks in the Rust Ecosystem Xiao-juan Zheng Zhiyuan Wan Yun Zhang Rui Chang David Lo 23 12 0 29 Aug 2023
An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security Failures Tanmay Singla Dharun Anandayuvaraj Kelechi G. Kalu Taylor R. Schorlemmer James C. Davis 133 14 0 09 Aug 2023
The Hitchhiker's Guide to Malicious Third-Party Dependencies Piergiorgio Ladisa Merve Sahin Serena Elisa Ponta M. Rosa Matias Martinez Olivier Barais 40 7 0 18 Jul 2023
HODOR: Shrinking Attack Surface on Node.js via System Call Limitation Wenya Wang Xingwei Lin Jingyi Wang Wang Gao Dawu Gu Wei Lv Jiashui Wang 46 3 0 24 Jun 2023
UNGOML: Automated Classification of unsafe Usages in Go A. Wickert C. Damke Lars Baumgärtner Eyke Hüllermeier Mira Mezini 114 0 0 01 Jun 2023
Trusting code in the wild: A social network-based centrality rating for developers in the Rust ecosystem Nasif Imtiaz Preya Shabrina Laurie A. Williams 26 0 0 31 May 2023
Software supply chain: review of attacks, risk assessment strategies and security controls Betul Gokkaya Leonardo Aniello Basel Halak 50 6 0 23 May 2023
An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry Wenxin Jiang Nicholas Synovic Matt Hyatt Taylor R. Schorlemmer R. Sethi Yung-Hsiang Lu George K. Thiruvathukal James C. Davis 88 71 0 05 Mar 2023
Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages Tiago Brito Mafalda Ferreira M. Monteiro Pedro Lopes Miguel Barros J. Santos Nuno Santos 27 13 0 12 Jan 2023
Machine Learning Systems are Bloated and Vulnerable Huaifeng Zhang Fahmi Abdulqadir Ahmed Dyako Fatih Akayou Kitessa Mohannad J. Alhanahnah Philipp Leitner Ahmed Ali-Eldin 39 5 0 16 Dec 2022
A Tale of Frozen Clouds: Quantifying the Impact of Algorithmic Complexity Vulnerabilities in Popular Web Servers M. Bhuiyan Cristian-Alexandru Staicu 65 0 0 21 Nov 2022
Cargo Ecosystem Dependency-Vulnerability Knowledge Graph Construction and Vulnerability Propagation Study Peiyang Jia Chengwei Liu Hongyu Sun Chengyi Sun Mianxue Gu Yang Liu Yuqing Zhang 29 3 0 14 Oct 2022
Malicious Source Code Detection Using Transformer Chen Tsfaty Michael Fire 64 4 0 16 Sep 2022
Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js Mikhail Shcherbakov Musard Balliu Cristian-Alexandru Staicu 62 32 0 22 Jul 2022
Automating Dependency Updates in Practice: An Exploratory Study on GitHub Dependabot Runzhi He Hao He Yuxia Zhang Minghui Zhou 93 35 0 15 Jun 2022
Taxonomy of Attacks on Open-Source Software Supply Chains Piergiorgio Ladisa H. Plate Matias Martinez Olivier Barais 100 148 0 08 Apr 2022
Practical Automated Detection of Malicious npm Packages Adriana Sejfia Max Schäfer 50 69 0 28 Feb 2022
What are Weak Links in the npm Supply Chain? Nusrat Zahan Thomas Zimmermann Patrice Godefroid Brendan Murphy C. Maddila Laurie A. Williams 100 113 0 19 Dec 2021
Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages Nasif Imtiaz A. Khanom Laurie A. Williams 49 21 0 13 Dec 2021
Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages Cristian-Alexandru Staicu Sazzadur Rahaman Ágnes Kiss Michael Backes 68 11 0 22 Nov 2021
A Survey on Common Threats in npm and PyPi Registries Berkay Kaplan J. Qian 31 20 0 21 Aug 2021
A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI Jukka Ruohonen Kalle Hjerppe Kalle Rindell 51 24 0 27 Jul 2021
Containing Malicious Package Updates in npm with a Lightweight Permission System G. Ferreira Limin Jia Joshua Sunshine Christian Kastner 61 49 0 08 Mar 2021
I Know What You Imported Last Summer: A study of security threats in thePython ecosystem Aadesh Bagmar J. Wedgwood Dave Levin Jim Purtilo ELM 42 12 0 11 Feb 2021
Mir: Automated Quantifiable Privilege Reduction Against Dynamic Library Compromise in JavaScript N. Vasilakis Cristian-Alexandru Staicu Greg Ntousakis Konstantinos Kallas Ben Karel A. DeHon Michael Pradel 127 4 0 31 Oct 2020
Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks Marc Ohm H. Plate Arnold Sykosch M. Meier 72 206 0 19 May 2020