Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There needs to be some way of automatically flagging package upgrades that might be malware.

Introducing calls to things like is system or subprocess should be a red flag.

I feel like the pledge system would be a good model here: https://medium.com/@_neerajpal/pledge-openbsds-defensive-app...



Been working on this exact thing for nearly two years at https://www.phylum.io. We identified and reported about 1.2k packages in ecosystems like npm, pypi and others last year. GitHub app that checks your PRs for malware. We also built a free open source sandbox for package installations [1] so if malware does get executed it’s done in a locked down environment. Happy to chat further about this sort of thing, it’s something I’m wildly interested in!

[1] https://github.com/phylum-dev/birdcage


I've been building Packj [1] to address exactly this problem. You can _audit_ as well as _sandbox_ installation of PyPI/NPM/Rubygems packages and flags hidden malware or "risky” code behavior such as spawning of shell, use of SSH keys, and mismatch of GitHub code vs packaged code (provenance).

1. https://github.com/ossillate-inc/packj flags malicious/risky packages.


Vendors like Sonatype already offer this for enterprises. I feel we're a long way from it being available in core OSS repositories though.

https://help.sonatype.com/fw/best-practices/release-integrit...


This is exactly what we provide at Socket. See https://socket.dev

We flag anything a package introduces new install scripts, network, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: