Since we debuted our Advanced Development Pack in late 2020, Sonatype’s discovery of malicious packages infiltrating npm has been making headlines over and over [1, 2, 3, 4, 5].
While it’s been a company wide initiative, the progress has really been made possible by the team building our automated malware detection system, Release Integrity, part of the next-generation Nexus Intelligence products that regularly monitors newly released npm packages and flags suspicious components.
This data which flows through our Advanced Development Pack, is powerful enough, but when combined with the power of Nexus Firewall, it automatically thwarts attacks on your supply chain by quarantining suspicious and malicious components immediately.
Let’s meet our principal software engineer Xiaorong Xiang and data scientist Cody Nash, part of the development team behind the Release Integrity system.
On any given day, Cody and Xiaorong can be seen extensively monitoring events and activity patterns associated with malicious components being published in the wild, and tuning our AI/ML-based automated malware detection algorithms accordingly.
As an example, this would include the frequent “spikes” we continue to see around the dependency confusion copycats being published. In mid-March 2021 that surpassed 10,000 – and is only growing.
The copycats have become so frequent, that it hasn’t been possible to write about all of them, but the spikes seen through March saw Release Integrity catching at least 5,000+ copycats on top of the 5,000+ already seen on npm and PyPI we were able to cover.
As Xiaorong explains in the video, every newly published npm package is ingested and evaluated by the Release Integrity system against a criteria comprising over five dozen “signals” or red flags that indicate the package could be suspicious, such as the age of the package, whereabouts (Read more…)