software_supply_chain_papers

This repository contains a list of papers about software supply chain

Papers/Reports

• Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: archive). 2020.
• Towards detection of software supply chain attacks by forensic artifacts (link: acm). 2020.
• Measuring and preventing supply chain attacks on package managers (link: archive). 2020.
• SpellBound: Defending Against Package Typosquatting (link: archive). 2020
• Security issues in language-based sofware ecosystems (link archive). 2019.
• Typosquatting and Combosquatting Attacks on the Python Ecosystem (link IEEE). 2020.
• Small world with high risks: A study of security threats in the npm ecosystem (link Usenix). 2019.
• BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain (link atlanticcouncil). 2020.
• A Look In the Mirror: Attacks on Package Managers (link acm). 2008.
• in-toto: Providing farm-to-table guarantees for bits and bytes (link usenix). 2019.
• Software Distribution Transparency and Auditability (link archive). 2017.
• Malware in the SGX supply chain: Be careful when signing enclaves! (link IEEE). 2020.
• Investigating the Reproducbility of NPM packages (link thesis). 2020.
• The Dangers of Malicious Modulesmedium
• Attacks on Package Managers (link thesis). 2019.
• Poster: Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (link ACM)
• Package mis-management (link Github)
• If You’ve Seen One, You’ve Seen Them All: Leveraging AST Clustering Using MCL to Mimic Expertise to Detect Software Supply Chain Attacks (link Arxiv)
• Look before you pip
• Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software (link ACM)
• Nearly 18,000 SolarWinds Customers Installed Backdoored Software (linkthehackernews)
• For Good Measure Counting Broken Links: A Quant’s View of Software Supply Chain Security (link Usenix)
• What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm (link snyk.io)
• Software Transparency: Part 1 (link blog.azuki.vip)
• Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub (link arxiv.org)
• I Know What You Imported Last Summer: A study of security threats in the Python ecosystem (link arxiv.org)
• PHP's Git server hacked to add backdoors to PHP source code (link bleepingcomputer)
• Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity (link googleblog)
• Reproducible Builds: Increasing the Integrity of Software Supply Chains (link arxiv.org)
• LastPyMile: Identifying the Discrepancy between Sources and Packages. (link securitylab.disi.unitn.it)
• Introducing SLSA, an End-to-End Framework for Supply Chain Integrity. (link https://security.googleblog.com/)
• Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware (link thehackernews)
• Securing the open source supply chain by scanning for package registry credentials (link github.blog)
• Software Supply Chain Angriffe (link bonndoc.ulb.uni-bonn.de)
• NPM fixes private package names leak, serious authorization bug (link https://www.bleepingcomputer.com)
• 8 Ways to backdoor a crate in Rust for fun and profit (link https://kerkour.com)
• Open-Source Software Supply Chain Attacks Attack Tree Visualization and Survey (link https://survey.opensourceunchained.eu)
• Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack
• Taxonomy of Attacks on Open-Source Software Supply Chains Arxiv
• Practical Automated Detection of Malicious npm Packages Arxiv
• Malicious Packages Lurking in User-Friendly Python Package Index IEEE
• A Survey on Common Threats in npm and PyPi Registries Arxiv
• Towards Understanding and Securing the OSS Supply Chain PhD thesis
• What are Weak Links in the npm Supply Chain? ICSE-SEIP 2022
• A massive widespread malware attack on Github Twitter
• Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems thehackernews
• Taming Bad Python Packages: Assessing Python Malware Detectors with a Benchmark Dataset chainguard.dev
• A Benchmark Comparison of Python Malware Detection Approaches arxiv.org
• Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers checkmarx.com
• SoK: Practical Detection of Software Supply Chain Attacks ACM
• Report: PowerShell Gallery susceptible to typosquatting and other package-management attacks www.csoonline.com

Standards

• OWASP Software Component Verification Standard (OWASP SCVS) (link owasp.org)
• Reproducable Builds (link https://reproducible-builds.org/)

Talks

• DEVELOPERS AS A MALWARE DISTRIBUTION VEHICLE (link: vimeo)
• Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: youtube)
• The Evolution of the Software Supply Chain Attack (link: youtube)
• Learning with ReversingLabs: Protecting Applications from Software Supply Chain Attack Whiteboard (link: youtube)
• Cyber Summit 2020: Security in the Software Supply Chain (link: youtube)
• Developing a Security Mindset: Practical Lessons for Pythonistas (link: youtube)
• JavaScript Supply Chain Security - Adam Baldwin (link : youtube)
• Collaborating to Improve Open Source Security: How the Ecosystem Is Stepping Up (link youtube)
• NDSS 2021 Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages (link youtube)
• NDSS 2021 Day 2 Keynote: Oversupplied: The Solar Winds attack (link youtube)
• How to Avoid the ‘Dependency Confusion’ Software Supply Chain Hack (link sonatype)
• USENIX Enigma 2021 - Breaking Trust – Shades of Crisis Across an Insecure Software Supply Chain (link youtube)
• Perspectives on the SolarWinds Incident (link IEEE)
• SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? (link IEEE)
• Are we forever doomed to software supply chain security? (link Youtube)
• Secure Software Supply Chains for Python (link Youtube)

Dataset

• Backstabbers-Knife-Collection
• Bad packages from the pypi repository
• software-supply-chain-compromises (IQTLabs)
• DataDog (PyPI samples)

Real-world attacks

• Compromised npm Package: event-stream
• https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/
• Pytosquatting (https://pytosquatting.overtag.dk/)
• https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord-and-browser-files/
• https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/?ftag=COS-05-10aaa0g&taid=5fc7542c9870190001e52f2f&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter
• 11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells (link https://thehackernews.com)
• Dependency Confusion attacks medium.com
• Breach of software maker used to backdoor ecommerce server https://arstechnica.com/
• Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” www.fortinet.com
• 3CX Supply Chain Attack — Here's What We Know So Far https://thehackernews.com

Preventions/Countermeasures

• Typosquatting and Combosquatting Attacks on the Python Ecosystem (link ieee). 2020.
• Malware Checks (link https://warehouse.readthedocs.io/)
• GitHub will require 2FA for some NPM registry users (link https://www.infoworld.com)

Conferences

• Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses