Recently GitLab open-sourced a tool that enables developers and security teams to detect malicious code in-app dependencies. Package Hunter analyzes dependencies for both malicious code and other unexpected behavior.
It installs the dependencies in a sandbox environment and then reports any suspicious behavior to the developer, who can then further examine them.
According to GitLab, a recent review of open source software supply chain attacks found common malicious dependencies. The methods for delivering malicious dependencies have also become sophisticated.
For example, earlier this year, security researchers discovered a vulnerability dubbed Dependency Confusion in many popular package managers that can be used to track the package manager into installing dependencies from a location that the attacker controls instead of the trusted package registry. The attacker could then execute code to compromise production systems or CI environments, GitLab explained.
Further complicating the matter is that many existing dependency scanners are limited to identifying dependencies with known vulnerabilities and don’t detect if a dependency executes malicious code. The company hopes Package Hunter will fill this need.