Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks
This work addresses the vulnerability of software development to supply chain attacks, which is a critical issue for open source communities and researchers, though it is incremental as it builds on existing knowledge by providing structured data and models.
The paper tackles the problem of open source software supply chain attacks by presenting a dataset of 174 malicious packages from real-world attacks and two attack trees to outline injection and execution techniques, with the dataset covering packages from November 2015 to November 2019 distributed via npm, PyPI, and RubyGems.
A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities.