Package Analysis

Package Analysis

The Package Analysis project analyses the capabilities of packages available on open source repositories. The project looks for behaviors that indicate malicious software:

  • What files do they access?
  • What addresses do they connect to?
  • What commands do they run?

The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously.

This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.

This code is designed to work with the Package Feeds project, and originally started there.

For examples of what this project has detected, check out the case studies.
Package Feeds

The binary produced by cmd/scheduled-feed/main.go can be used to monitor various package repositories for changes and publish data to external services for further processing.

Additionally, the repo contains a few subprojects to aid in the analysis of these open source packages, in particular to look for malicious software.

These are:

Feeds to watch package registries (PyPI, NPM, etc.) for changes to packages and to make that data available via a single standard interface.

Publisher provides the functionality to push package details from feeds towards external services such as GCP Pub/Sub. Package details are formatted inline with a versioned json-schema.

This repo used to contain several other projects, which have since been split out into github.com/ossf/package-analysis.

The goal is for all of these components to work together and provide extensible, community-run infrastructure to study behavior of open source packages and to look for malicious software. We also hope that the components can be used independently, to provide package feeds or runtime behavior data for anyone interested.