Meet Package Hunter: A tool for detecting malicious code in your dependencies
Modern programming ecosystems make code reuse exceptionally easy. No matter the programming task at hand, chances are there is a package in a public registry such as rubygems.org or npmjs.com that implements that task.
While the reuse of publicly available packages reduces the time necessary to write an app, this reuse brings its own set of challenges. Apps quickly depend on hundreds of packages, and programmers often simply just trust that these packages don't contain malicious code. In an ideal world, all depended-upon code is thoroughly vetted before being included in a program – however, this is often unfeasible in practice due to the sheer amount of dependency code that needs to be reviewed and the lack of existing tools to help with vetting dependency code.
Past incidents like malicious code in the popular package event-stream demonstrate that threat actors actively use public package registries as a distribution channel for malicious code. This incident wasn't a single event either. A recent review of open source software supply chain attacks found many similar malicious packages in the wild.
