New Community Resource Vets Key Threats, Catalogs Analysis of 5 Million Packages Across Open Source Repositories Including NPM, PyPi and Ruby Gems; Contributes Findings to OpenSSF Malicious Packages Project
ReversingLabs (RL), the trusted name in file and software security, today introduced Spectra Assure Community, the largest, free community resource that makes it easy for software producers to quickly vet open source software packages by providing a comprehensive risk analysis. Leveraging RL’s award-winning Spectra Assure software supply chain security solution, Spectra Assure Community enables developers, repository managers, and engineering teams, among others, to check more than 5 million code packages from open source repositories for malicious code, code tampering, suspicious behaviors, known vulnerabilities, license compliance issues, exposed secrets, and overall package health.
Malicious attacks on public open source repositories are now as pervasive as developers’ use of open source dependencies, making it increasingly difficult for software producers to implicitly trust the safety of every piece of code. RL marked an astounding 1,300% increase in malicious open source packages from 2020 to 2023, and an increase of 28% over 2022, when a little more than 8,700 malicious packages were detected. Additionally, the 2024 Verizon Data Breach Investigation Report reported a significant increase in software supply chain attacks. The report reinforced that developers have become a prime target for criminal and nation state sponsored actors and must be sure open source from repositories is free from malware.
Spectra Assure Community provides a free risk assessment for open source components from the most popular package repositories such as npm, PyPi, and RubyGems. It provides a comprehensive risk assessment for software packages, offering visibility into threats, security, and compliance issues. This community resource provides these unique insights of OSS packages with:
- Comprehensive analysis: Using Spectra Assure’s proprietary AI-driven complex binary analysis to analyze each component of a software binary for malicious code, tampering, or other risks or threats.
- Advanced threat detection: RL maintains the most complete and up-to-date corpus of malware in the world, which enables unique visibility and detection of emerging threats within OSS repositories.
- Standardized security assurance: The Spectra Assure Risk Assessment is presented in a normalized format for the selected package, allowing users to make a simple comparison.
Building with safe and secure components is foundational to stopping hackers and software supply chain attacks. Spectra Assure Community increases the build quality and security, saves time, and improves traceability to help any development organization deliver safe and on-time builds.
“We can no longer deny that software represents the largest under-addressed attack surface facing businesses today. The threats hiding among open source, proprietary, commercial and third-party code are leaving software producers and enterprise consumers at increasing risk,” said Tomislav Pericin, co-founder and chief software architect, ReversingLabs. “We are committed to helping developers make software safe for all with easily searchable, real-time threat intelligence data about software packages in open source repositories.”
Community Contribution
Today’s launch of Spectra Assure Community underscores RL’s enduring commitment to protect open source communities from threats hidden in the software supply chain. The RL Threat Research team has long helped to find malicious code in package repositories and work with administrators to facilitate removal, while regularly sharing threat intelligence. Recent RL research includes IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations and VMConnect: Malicious PyPI packages imitate popular open source modules. RL will also contribute lists of these malicious packages to the OpenSSF Malicious Packages repository, the first open source system for collecting and publishing cross-ecosystem reports of malicious packages.
“ReversingLabs contributions to the OpenSSF Malicious Packages repository will allow us to grow the database and provide enriched data about malicious packages to researchers looking to identify trends and specific bad actors,” said Omkhar Arasaratnam, General Manager, Open SSF. “Their contributions will help to power a public database that aggregates reports of malicious packages discovered in open source repositories with the potential to stop malicious dependencies from moving through CI/CD pipelines, refine detection engines, scan for and prevent usage in environments, or accelerate incident response.”
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!