This course aims to teach learners how to analyze and mitigate risks associated with malicious and risky open-source packages using the PACKJ security analysis framework. The course covers topics such as software supply chain attacks, attack techniques like typosquatting and social engineering, and defense mechanisms against these attacks. Learners will acquire skills in deep metadata analysis, rigorous API analysis, and runtime analysis. The teaching method includes a presentation of the PACKJ framework, highlighting findings, discussing different types of attacks, and demonstrating the tool to detect risky packages. The intended audience for this course includes developers, security professionals, and individuals interested in software supply chain security.
Unearthing Malicious and Risky OpenSource Packages Using Packj
Overview
Syllabus
Intro
Open-source software is everywhere
Package Managers
Package Installation today - dependency hell
Software Supply Chain Attack
Attack Techniques: Typosquatting
Technique: Social Engineering
Technique: Dependency Confusion
Technique: Account Hijacking
How do we defend against these attacks?
Manual Vetting is infeasible
Vanity Stats are not enough
Packj: a dev-friendly vetting tool
Deep Metadata Analysis
Rigorous API Analysis
Runtime Analysis
Remote Code Execution Attack
Dependency Confusion Attack - Feb 2021
Colors and Faker Attack - Jan 2022
Taught by
nullcon
