all InfoSec news
The Hitchhiker's Guide to Malicious Third-Party Dependencies. (arXiv:2307.09087v1 [cs.CR])
cs.CR updates on arXiv.org arxiv.org
The increasing popularity of certain programming languages has spurred the
creation of ecosystem-specific package repositories and package managers. Such
repositories (e.g., NPM, PyPI) serve as public databases that users can query
to retrieve packages for various functionalities, whereas package managers
automatically handle dependency resolution and package installation on the
client side. These mechanisms enhance software modularization and accelerate
implementation. However, they have become a target for malicious actors seeking
to propagate malware on a large scale.
In this work, we …
client databases dependencies dependency ecosystem guide installation languages malicious managers npm package package managers packages party programming public pypi query repositories resolution s guide third third-party