Communities
Connect sessions
AI calendar
Organizations
Join Slack
Contact Sales
Search
Open menu
Home
Papers
1902.09217
Cited By
v1
v2 (latest)
Small World with High Risks: A Study of Security Threats in the npm Ecosystem
25 February 2019
Markus Zimmermann
Cristian-Alexandru Staicu
Cam Tenny
Michael Pradel
Re-assign community
ArXiv (abs)
PDF
HTML
Papers citing
"Small World with High Risks: A Study of Security Threats in the npm Ecosystem"
50 / 57 papers shown
A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software
IEEE International Symposium on Software Reliability Engineering (ISSRE), 2024
Shree Hari Bittugondanahalli Indra Kumar
Lilia Sampaio
André Martin
Andrey Brito
Christof Fetzer
78
5
0
03 Dec 2025
Toward Understanding Security Issues in the Model Context Protocol Ecosystem
Xiaofan Li
Xing Gao
228
4
0
18 Oct 2025
AgentHub: A Registry for Discoverable, Verifiable, and Reproducible AI Agents
Erik Pautsch
Tanmay Singla
Wenxin Jiang
Huiyun Peng
Behnaz Hassanshahi
Konstantin Läufer
George K.Thiruvathukal
James C. Davis
James C. Davis
155
0
0
03 Oct 2025
A Measurement Study of Model Context Protocol Ecosystem
Hechuan Guo
Yongle Hao
Yue Zhang
Minghui Xu
Peizhuo Lyu
Jiezhi Chen
Xiuzhen Cheng
359
9
0
29 Sep 2025
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
Seyed Ali Akhavani
Behzad Ousat
Amin Kharraz
211
6
0
15 Jun 2025
PermRust: A Token-based Permission System for Rust
Lukas Gehring
Sebastian Rehms
Florian Tschorsch
103
0
0
13 Jun 2025
PoCGen: Generating Proof-of-Concept Exploits for Vulnerabilities in Npm Packages
Deniz Simsek
Aryaz Eghbali
Michael Pradel
530
13
0
05 Jun 2025
Propagation-Based Vulnerability Impact Assessment for Software Supply Chains
Bonan Ruan
Zhiwei Lin
Jiahao Liu
Chuqi Zhang
Kaihang Ji
Zhenkai Liang
332
1
0
02 Jun 2025
Securing the Software Package Supply Chain for Critical Systems
Ritwik Murali
Akash Ravi
169
0
0
28 May 2025
Automatically Generating Rules of Malicious Software Packages via Large Language Model
Dependable Systems and Networks (DSN), 2025
XiangRui Zhang
HaoYu Chen
YongZhong He
Wenjia Niu
Qiang Li
277
5
0
24 Apr 2025
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
IEEE Working Conference on Mining Software Repositories (MSR), 2025
Piotr Przymus
Thomas Durieux
157
12
0
24 Apr 2025
A Time Series Analysis of Malware Uploads to Programming Language Ecosystems
ARES (ARES), 2025
Jukka Ruohonen
Mubashrah Saddiqa
210
3
0
22 Apr 2025
ConfuGuard: Using Metadata to Detect Active and Stealthy Package Confusion Attacks Accurately and at Scale
Wenxin Jiang
Berk Çakar
Mikola Lysenko
James C. Davis
561
0
0
27 Feb 2025
Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks
Hao He
Bogdan Vasilescu
Jane Hsieh
160
8
0
10 Feb 2025
Six Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Spams, and Malware
Hao He
Haoqin Yang
Philipp Burckhardt
A. Kapravelos
Bogdan Vasilescu
Jane Hsieh
406
6
0
18 Dec 2024
Protect Your Secrets: Understanding and Measuring Data Exposure in VSCode Extensions
IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2024
Yue Liu
Chakkrit Tantithamthavorn
Li Li
313
5
0
01 Dec 2024
Dirty-Waters: Detecting Software Supply Chain Smells
Raphina Liu
Sofia Bobadilla
Benoit Baudry
Martin Monperrus
274
3
0
21 Oct 2024
Software Security Analysis in 2030 and Beyond: A Research Roadmap
ACM Transactions on Software Engineering and Methodology (TOSEM), 2024
Marcel Böhme
Eric Bodden
Tevfik Bultan
Cristian Cadar
Yang Liu
Giuseppe Scanniello
389
12
0
26 Sep 2024
Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models
Ying Zhang
Xiaoyan Zhou
Hui Wen
Wenjia Niu
Jiqiang Liu
Haining Wang
Qiang Li
243
13
0
11 Jul 2024
SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties
C. Okafor
Taylor R. Schorlemmer
Santiago Torres-Arias
James C. Davis
468
72
0
14 Jun 2024
What do we know about Hugging Face? A systematic literature review and quantitative validation of qualitative claims
Jason Jones
Wenxin Jiang
Nicholas Synovic
George K. Thiruvathukal
James C. Davis
305
24
0
12 Jun 2024
We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs
Joseph Spracklen
Raveen Wijewickrama
A. H. M. N. Sakib
Anindya Maiti
Murtuza Jadliwala
Murtuza Jadliwala
592
55
0
12 Jun 2024
An Industry Interview Study of Software Signing for Supply Chain Security
Kelechi G. Kalu
Tanya Singla
C. Okafor
Santiago Torres-Arias
James C. Davis
449
16
0
12 Jun 2024
Towards Multi-Stakeholder Vulnerability Notifications in the Ad-Tech Supply Chain
Yash Vekaria
Rishab Nithyanand
Zubair Shafiq
122
4
0
11 Jun 2024
Chain of trust: Unraveling references among Common Criteria certified products
Adam Janovsky
Lukasz Chmielewski
P. Švenda
Jan Jancar
Vashek Matyás
170
2
0
22 Apr 2024
DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping
USENIX Security Symposium (USENIX Security), 2024
Cheng Huang
Nannan Wang
Ziteng Wang
Siqi Sun
Lingzi Li
Junren Chen
Qianchong Zhao
Jiaxuan Han
Zhen Yang
Lei Shi Sichuan University
206
37
0
13 Mar 2024
Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors
IEEE Symposium on Security and Privacy (S&P), 2024
Taylor R. Schorlemmer
Kelechi G. Kalu
Luke Chigges
Kyung Myung Ko
Eman Abdul-Muhd Abu Isghair
Saurabh Baghi
Santiago Torres-Arias
James C. Davis
298
16
0
26 Jan 2024
Why Not Mitigate Vulnerabilities in Helm Charts?
Yihao Chen
Jiahuei Lin
Bram Adams
Ahmed E. Hassan
145
1
0
23 Dec 2023
"I see models being a whole other thing": An Empirical Study of Pre-Trained Model Naming Conventions and A Tool for Enhancing Naming Consistency
Empirical Software Engineering (EMSE), 2023
Wenxin Jiang
Chingwo Cheung
Mingyu Kim
Heesoo Kim
George K. Thiruvathukal
James C. Davis
CVBM
466
6
0
02 Oct 2023
A Closer Look at the Security Risks in the Rust Ecosystem
ACM Transactions on Software Engineering and Methodology (TOSEM), 2023
Xiao-juan Zheng
Zhiyuan Wan
Yun Zhang
Rui Chang
David Lo
187
21
0
29 Aug 2023
An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security Failures
Tanmay Singla
Dharun Anandayuvaraj
Kelechi G. Kalu
Taylor R. Schorlemmer
James C. Davis
419
25
0
09 Aug 2023
The Hitchhiker's Guide to Malicious Third-Party Dependencies
Piergiorgio Ladisa
Merve Sahin
Serena Elisa Ponta
M. Rosa
Matias Martinez
Olivier Barais
214
16
0
18 Jul 2023
HODOR: Shrinking Attack Surface on Node.js via System Call Limitation
Conference on Computer and Communications Security (CCS), 2023
Wenya Wang
Xingwei Lin
Jingyi Wang
Wang Gao
Dawu Gu
Wei Lv
Jiashui Wang
170
7
0
24 Jun 2023
UNGOML: Automated Classification of unsafe Usages in Go
IEEE Working Conference on Mining Software Repositories (MSR), 2023
A. Wickert
C. Damke
Lars Baumgärtner
Eyke Hüllermeier
Mira Mezini
266
1
0
01 Jun 2023
Trusting code in the wild: A social network-based centrality rating for developers in the Rust ecosystem
Nasif Imtiaz
Preya Shabrina
Laurie A. Williams
190
0
0
31 May 2023
Software supply chain: review of attacks, risk assessment strategies and security controls
Betul Gokkaya
Leonardo Aniello
Basel Halak
228
9
0
23 May 2023
An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry
International Conference on Software Engineering (ICSE), 2023
Wenxin Jiang
Nicholas Synovic
Matt Hyatt
Taylor R. Schorlemmer
R. Sethi
Yung-Hsiang Lu
George K. Thiruvathukal
James C. Davis
256
97
0
05 Mar 2023
Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
IEEE Transactions on Reliability (IEEE Trans. Reliab.), 2023
Tiago Brito
Mafalda Ferreira
M. Monteiro
Pedro Lopes
Miguel Barros
J. Santos
Nuno Santos
134
21
0
12 Jan 2023
Machine Learning Systems are Bloated and Vulnerable
Proceedings of the ACM on Measurement and Analysis of Computing Systems (POMACS), 2022
Huaifeng Zhang
Fahmi Abdulqadir Ahmed
Dyako Fatih
Akayou Kitessa
Mohannad J. Alhanahnah
Philipp Leitner
Ahmed Ali-Eldin
256
11
0
16 Dec 2022
A Tale of Frozen Clouds: Quantifying the Impact of Algorithmic Complexity Vulnerabilities in Popular Web Servers
M. Bhuiyan
Cristian-Alexandru Staicu
184
1
0
21 Nov 2022
Cargo Ecosystem Dependency-Vulnerability Knowledge Graph Construction and Vulnerability Propagation Study
Peiyang Jia
Chengwei Liu
Hongyu Sun
Chengyi Sun
Mianxue Gu
Yang Liu
Yuqing Zhang
123
2
0
14 Oct 2022
Malicious Source Code Detection Using Transformer
Chen Tsfaty
Michael Fire
251
7
0
16 Sep 2022
Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js
USENIX Security Symposium (USENIX Security), 2022
Mikhail Shcherbakov
Musard Balliu
Cristian-Alexandru Staicu
199
38
0
22 Jul 2022
Automating Dependency Updates in Practice: An Exploratory Study on GitHub Dependabot
IEEE Transactions on Software Engineering (TSE), 2022
Runzhi He
Hao He
Yuxia Zhang
Minghui Zhou
251
66
0
15 Jun 2022
Taxonomy of Attacks on Open-Source Software Supply Chains
IEEE Symposium on Security and Privacy (IEEE S&P), 2022
Piergiorgio Ladisa
H. Plate
Matias Martinez
Olivier Barais
326
230
0
08 Apr 2022
Practical Automated Detection of Malicious npm Packages
International Conference on Software Engineering (ICSE), 2022
Adriana Sejfia
Max Schäfer
193
92
0
28 Feb 2022
What are Weak Links in the npm Supply Chain?
Nusrat Zahan
Thomas Zimmermann
Patrice Godefroid
Brendan Murphy
C. Maddila
Laurie A. Williams
328
144
0
19 Dec 2021
Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages
Nasif Imtiaz
A. Khanom
Laurie A. Williams
156
26
0
13 Dec 2021
Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages
USENIX Security Symposium (USENIX Security), 2021
Cristian-Alexandru Staicu
Sazzadur Rahaman
Ágnes Kiss
Michael Backes
248
15
0
22 Nov 2021
A Survey on Common Threats in npm and PyPi Registries
Berkay Kaplan
J. Qian
310
25
0
21 Aug 2021
1
2
Next
Page 1 of 2
