Taxonomy of Attacks on Open-Source Software Supply Chains

8 April 2022

Papers citing "Taxonomy of Attacks on Open-Source Software Supply Chains"

49 / 49 papers shown

Title
LibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries Zekun Wu Seonglae Cho U. Mohammed Cristian Muñoz Kleyton Costa Xin Guan Theo King Ze Wang Emre Kazim Adriano Soares Koshiyama ELM 43 0 0 13 May 2025
ROSA: Finding Backdoors with Fuzzing Dimitri Kokkonis Michaël Marcozzi Emilien Decoux Stefano Zacchiroli 29 0 0 13 May 2025
Security-by-Design at the Telco Edge with OSS: Challenges and Lessons Learned Carmine Cesarano Alessio Foggia Gianluca Roscigno Luca Andreani R. Natella 19 0 0 30 Apr 2025
Sleeping Giants - Activating Dormant Java Deserialization Gadget Chains through Stealthy Code Changes Bruno Kreyssig Sabine Houy Timothée Riom Alexandre Bartel 24 0 0 29 Apr 2025
User Profiles: The Achilles' Heel of Web Browsers Dolière Francis Somé Moaz Airan Zakir Durumeric Cristian-Alexandru Staicu 19 0 0 24 Apr 2025
Automatically Generating Rules of Malicious Software Packages via Large Language Model XiangRui Zhang HaoYu Chen YongZhong He Wenjia Niu Qiang Li 37 0 0 24 Apr 2025
Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils Sivana Hamer Jacob Bowen Md Nazmul Haque Robert Hines Chris Madden Laurie A. Williams 39 2 0 15 Mar 2025
ConfuGuard: Using Metadata to Detect Active and Stealthy Package Confusion Attacks Accurately and at Scale Wenxin Jiang Berk Çakar Mikola Lysenko James C. Davis 44 0 0 27 Feb 2025
SoK: Towards Effective Automated Vulnerability Repair Ying Li Faysal hossain shezan Bomin wei Gang Wang Yuan Tian 128 1 0 31 Jan 2025
MoPD: Mixture-of-Prompts Distillation for Vision-Language Models Yang Chen Shuai Fu Yu Zhang VLM 46 0 0 26 Dec 2024
4.5 Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Scams, and Malware Hao He Haoqin Yang Philipp Burckhardt A. Kapravelos Bogdan Vasilescu Christian Kastner 80 3 0 18 Dec 2024
SoK: A Systems Perspective on Compound AI Threats and Countermeasures Sarbartha Banerjee Prateek Sahu Mulong Luo Anjo Vahldiek-Oberwagner N. Yadwadkar Mohit Tiwari AAML 77 0 0 20 Nov 2024
Dirty-Waters: Detecting Software Supply Chain Smells Raphina Liu Sofia Bobadilla Benoit Baudry Martin Monperrus 21 0 0 21 Oct 2024
SoK: Software Compartmentalization Hugo Lefeuvre Nathan Dautenhahn David Chisnall Pierre Olivier 30 3 0 11 Oct 2024
A Large-Scale Exploit Instrumentation Study of AI/ML Supply Chain Attacks in Hugging Face Models Beatrice Casey Joanna C. S. Santos Mehdi Mirakhorli CVBM 27 1 0 06 Oct 2024
Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs Jian Zhao Shenao Wang Yanjie Zhao Xinyi Hou Kailong Wang Peiming Gao Yuanchao Zhang Chen Wei Haoyu Wang 39 10 0 14 Sep 2024
Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments Xinyi Zheng Chen Wei Shenao Wang Yanjie Zhao Peiming Gao Yuanchao Zhang Kailong Wang Haoyu Wang 32 3 0 14 Sep 2024
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach Giacomo Benedetti Serena Cofano Alessandro Brighente Mauro Conti 27 0 0 10 Sep 2024
Unintentional Security Flaws in Code: Automated Defense via Root Cause Analysis Nafis Tanveer Islam Mazal Bethany Dylan Manuel Murtuza Jadliwala Peyman Najafirad 41 0 0 30 Aug 2024
Java-Class-Hijack: Software Supply Chain Attack for Java based on Maven Dependency Resolution and Java Classloading Federico Bono Frank Reyes Aman Sharma Benoit Baudry Martin Monperrus 18 1 0 26 Jul 2024
Tactics, Techniques, and Procedures (TTPs) in Interpreted Malware: A Zero-Shot Generation with Large Language Models Ying Zhang Xiaoyan Zhou Hui Wen Wenjia Niu Jiqiang Liu Haining Wang Qiang Li 46 3 0 11 Jul 2024
GoSurf: Identifying Software Supply Chain Attack Vectors in Go Carmine Cesarano Vivi Andersson Roberto Natella Martin Monperrus 26 0 0 05 Jul 2024
Establishing Provenance Before Coding: Traditional and Next-Gen Software Signing Taylor R. Schorlemmer Ethan H. Burmane Kelechi G. Kalu Santiago Torres-Arias James C. Davis 39 0 0 04 Jul 2024
SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java Aman Sharma Martin Wittlinger Benoit Baudry Martin Monperrus 28 5 0 28 Jun 2024
SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties C. Okafor Taylor R. Schorlemmer Santiago Torres-Arias James C. Davis 34 41 0 14 Jun 2024
We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs Joseph Spracklen Raveen Wijewickrama A. H. M. N. Sakib Anindya Maiti Murtuza Jadliwala Murtuza Jadliwala 48 9 0 12 Jun 2024
An Industry Interview Study of Software Signing for Supply Chain Security Kelechi G. Kalu Tanya Singla C. Okafor Santiago Torres-Arias James C. Davis 43 4 0 12 Jun 2024
How the Future Works at SOUPS: Analyzing Future Work Statements and Their Impact on Usable Security and Privacy Research Jacques Suray J. Klemmer Juliane Schmüser Sascha Fahl 24 1 0 30 May 2024
Predicting Likely-Vulnerable Code Changes: Machine Learning-based Vulnerability Protections for Android Open Source Project K. Yim AAML 26 0 0 26 May 2024
SoK: A Defense-Oriented Evaluation of Software Supply Chain Security Eman Abu Ishgair Marcela S. Melara Santiago Torres-Arias 29 2 0 23 May 2024
A Large-scale Fine-grained Analysis of Packages in Open-Source Software Ecosystems Xiaoyan Zhou Feiran Liang Zhaojie Xie Yang Lan Wenjia Niu Jiqiang Liu Haining Wang Qiang Li 24 1 0 17 Apr 2024
Just another copy and paste? Comparing the security vulnerabilities of ChatGPT generated code and StackOverflow answers Sivana Hamer Marcelo dÁmorim Laurie A. Williams SILM ELM 40 18 0 22 Mar 2024
SoK: Security of Programmable Logic Controllers Efrén López-Morales Ulysse Planta Carlos Rubio-Medrano Ali Abbasi Alvaro A. Cardenas 20 2 0 01 Mar 2024
DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers Hossein Siadati Sima Jafarikhah Elif Sahin Terrence Brent Hernandez Elijah Lorenzo Tripp Denis Khryashchev 30 1 0 28 Feb 2024
SoK: What don't we know? Understanding Security Vulnerabilities in SNARKs Stefanos Chaliasos Jens Ernstberger David Theodore David Wong Mohammad Jahanara Benjamin Livshits 37 17 0 23 Feb 2024
What Can Self-Admitted Technical Debt Tell Us About Security? A Mixed-Methods Study Nicolás E. Díaz Ferreyra Mojtaba Shahin Mansooreh Zahedi Sodiq Quadri Riccardo Scandariato 21 1 0 23 Jan 2024
Code Ownership in Open-Source AI Software Security Jiawen Wen Dong Yuan Lei Ma Huaming Chen 18 0 0 18 Dec 2023
Assessing the Threat Level of Software Supply Chains with the Log Model Luis Soeiro Thomas Robert Stefano Zacchiroli 19 0 0 20 Nov 2023
On the Feasibility of Cross-Language Detection of Malicious Packages in npm and PyPI Piergiorgio Ladisa Serena Elisa Ponta Nicola Ronzoni Matias Martinez Olivier Barais 31 11 0 14 Oct 2023
An Empirical Study on Using Large Language Models to Analyze Software Supply Chain Security Failures Tanmay Singla Dharun Anandayuvaraj Kelechi G. Kalu Taylor R. Schorlemmer James C. Davis 26 13 0 09 Aug 2023
The Hitchhiker's Guide to Malicious Third-Party Dependencies Piergiorgio Ladisa Merve Sahin Serena Elisa Ponta M. Rosa Matias Martinez Olivier Barais 19 7 0 18 Jul 2023
You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js Marc Ohm Timo Pohl Felix Boes 22 5 0 31 May 2023
Speranza: Usable, privacy-friendly software signing K. Merrill Zachary Newman Santiago Torres-Arias K. Sollins 8 13 0 10 May 2023
Journey to the Center of Software Supply Chain Attacks Piergiorgio Ladisa Serena Elisa Ponta A. Sabetta Matias Martinez Olivier Barais 13 4 0 11 Apr 2023
Challenges of Producing Software Bill Of Materials for Java Musard Balliu Benoit Baudry Sofia Bobadilla M. Ekstedt Monperrus Martin Javier Ron Aman Sharma Gabriel Skoglund César Soto-Valero Martin Wittlinger 22 27 0 20 Mar 2023
An Integrity-Focused Threat Model for Software Development Pipelines B. M. Reichert R. Obelheiro 13 0 0 11 Nov 2022
Towards the Detection of Malicious Java Packages Piergiorgio Ladisa H. Plate Matias Martinez Olivier Barais Serena Elisa Ponta 42 14 0 08 Oct 2022
A Benchmark Comparison of Python Malware Detection Approaches Duc-Ly Vu Zachary Newman J. Meyers 8 21 0 27 Sep 2022
SpellBound: Defending Against Package Typosquatting Matthew Taylor Ruturaj K. Vaidya Drew Davidson Lorenzo De Carli Vaibhav Rastogi 32 21 0 06 Mar 2020