└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # software_supply_chain_papers 2 | This repository contains a list of papers about software supply chain 3 | 4 | ## Papers/Reports 5 | - Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: [archive](https://arxiv.org/abs/2005.09535)). 2020. 6 | - Towards detection of software supply chain attacks by forensic artifacts (link: [acm](https://dl.acm.org/doi/abs/10.1145/3407023.3409183)). 2020. 7 | - Measuring and preventing supply chain attacks on package managers (link: [archive](https://arxiv.org/abs/2002.01139)). 2020. 8 | - SpellBound: Defending Against Package Typosquatting (link: [archive](https://arxiv.org/abs/2003.03471)). 2020 9 | - Security issues in language-based sofware ecosystems (link [archive](https://arxiv.org/abs/1903.02613)). 2019. 10 | - Typosquatting and Combosquatting Attacks on the Python Ecosystem (link [IEEE](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9229803)). 2020. 11 | - Small world with high risks: A study of security threats in the npm ecosystem (link [Usenix](https://www.usenix.org/conference/usenixsecurity19/presentation/zimmerman)). 2019. 12 | - BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain (link [atlanticcouncil](https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/)). 2020. 13 | - A Look In the Mirror: Attacks on Package Managers (link [acm](https://dl.acm.org/doi/abs/10.1145/1455770.1455841)). 2008. 14 | - in-toto: Providing farm-to-table guarantees for bits and bytes (link [usenix](https://www.usenix.org/system/files/sec19-torres-arias.pdf)). 2019. 15 | - Software Distribution Transparency and Auditability (link [archive](https://arxiv.org/abs/1711.07278)). 2017. 16 | - Malware in the SGX supply chain: Be careful when signing enclaves! (link [IEEE](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9200779)). 2020. 17 | - Investigating the Reproducbility of NPM packages (link [thesis](https://vtechworks.lib.vt.edu/bitstream/handle/10919/98491/Goswami_P_T_2020.pdf?sequence=1&isAllowed=y)). 2020. 18 | - The Dangers of Malicious Modules[medium](https://medium.com/intrinsic/common-node-js-attack-vectors-the-dangers-of-malicious-modules-863ae949e7e8) 19 | - Attacks on Package Managers (link [thesis](https://is.muni.cz/th/y41ft/thesis_final_electronic.pdf)). 2019. 20 | - Poster: Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (link [ACM](https://dl.acm.org/doi/pdf/10.1145/3372297.3420015)) 21 | - Package mis-management (link [Github](https://github.com/benjaoming/pytosquatting/blob/master/misc/bornhack-talk/slides.pdf)) 22 | - If You’ve Seen One, You’ve Seen Them All: Leveraging AST Clustering Using MCL to Mimic Expertise to Detect Software Supply Chain Attacks (link [Arxiv](https://arxiv.org/abs/2011.02235)) 23 | - [Look before you pip](https://www.ayrx.me/look-before-you-pip) 24 | - Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software (link [ACM](https://dl.acm.org/doi/10.1145/2664243.2664288)) 25 | - Nearly 18,000 SolarWinds Customers Installed Backdoored Software (link[thehackernews](https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html?fbclid=IwAR3PMg4kHY2tdSSYZmz38GC28vzAMibzgPpRmsvGva7axHepWfyA20sd8ZA)) 26 | - For Good Measure Counting Broken Links: A Quant’s View of Software Supply Chain Security (link [Usenix](https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf)) 27 | - What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm (link [snyk.io](https://snyk.io/blog/typosquatting-attacks/)) 28 | - Software Transparency: Part 1 29 | (link [blog.azuki.vip](https://blog.azuki.vip/software-transparency/)) 30 | - Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub (link [arxiv.org](https://arxiv.org/abs/2103.03846)) 31 | - I Know What You Imported Last Summer: A study of security threats in the Python ecosystem (link [arxiv.org](https://arxiv.org/abs/2102.06301)) 32 | - PHP's Git server hacked to add backdoors to PHP source code (link [bleepingcomputer](https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/)) 33 | - Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity (link [googleblog](https://security.googleblog.com/2021/03/introducing-sigstore-easy-code-signing.html)) 34 | - Reproducible Builds: Increasing the Integrity of Software Supply Chains (link [arxiv.org](https://arxiv.org/pdf/2104.06020.pdf)) 35 | - LastPyMile: Identifying the Discrepancy between Sources and Packages. (link [securitylab.disi.unitn.it](https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=research_activities:experiments:esecfse2021.pdf)) 36 | - Introducing SLSA, an End-to-End Framework for Supply Chain Integrity. (link [https://security.googleblog.com/](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html)) 37 | - Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware (link [thehackernews](https://thehackernews.com/2021/07/kaseya-revil-ransomware-attack.html)) 38 | - Securing the open source supply chain by scanning for package registry credentials (link [github.blog](https://github.blog/2021-06-08-securing-open-source-supply-chain-scanning-package-registry-credentials/)) 39 | - Software Supply Chain Angriffe (link [bonndoc.ulb.uni-bonn.de](https://bonndoc.ulb.uni-bonn.de/xmlui/bitstream/handle/20.500.11811/9325/6386.pdf?sequence=1)) 40 | - NPM fixes private package names leak, serious authorization bug (link [https://www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/npm-fixes-private-package-names-leak-serious-authorization-bug/)) 41 | - 8 Ways to backdoor a crate in Rust for fun and profit (link [https://kerkour.com](https://kerkour.com/rust-crate-backdoor/)) 42 | - Open-Source Software Supply Chain Attacks Attack Tree Visualization and Survey (link [https://survey.opensourceunchained.eu](https://survey.opensourceunchained.eu/index.html)) 43 | - [Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack](https://thehackernews.com/2022/01/hackers-target-real-estate-websites.html?fbclid=IwAR1ZYwBl_4Bn9UiStDaNEpUPJkYJC8QWACMD2a7x3pcMOfErwQOl9EGbKdI) 44 | - Taxonomy of Attacks on Open-Source Software Supply Chains [Arxiv](https://arxiv.org/abs/2204.04008) 45 | - Practical Automated Detection of Malicious npm Packages [Arxiv](https://arxiv.org/abs/2202.13953) 46 | - Malicious Packages Lurking in User-Friendly Python Package Index [IEEE](https://ieeexplore.ieee.org/abstract/document/9724451) 47 | - A Survey on Common Threats in npm and PyPi Registries [Arxiv](https://arxiv.org/abs/2108.09576) 48 | - Towards Understanding and Securing the OSS Supply Chain [PhD thesis](http://www.lyvu.me/papers/vu-thesis-final.pdf) 49 | - What are Weak Links in the npm Supply Chain? [ICSE-SEIP 2022](https://arxiv.org/abs/2112.10165) 50 | - A massive widespread malware attack on Github [Twitter](https://twitter.com/stephenlacy/status/1554697077430505473) 51 | - Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems [thehackernews](https://thehackernews.com/2022/08/newly-uncovered-pypi-package-drops.html) 52 | - Taming Bad Python Packages: Assessing Python Malware Detectors with a Benchmark Dataset [chainguard.dev](https://blog.chainguard.dev/taming-python-malware-scanners/) 53 | - A Benchmark Comparison of Python Malware Detection Approaches [arxiv.org](https://arxiv.org/abs/2209.13288) 54 | - Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers [checkmarx.com](https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/) 55 | - SoK: Practical Detection of Software Supply Chain Attacks [ACM](https://dl.acm.org/doi/abs/10.1145/3600160.3600162) 56 | - Report: PowerShell Gallery susceptible to typosquatting and other package-management attacks [www.csoonline.com](https://www.csoonline.com/article/649716/report-powershell-gallery-susceptible-to-typosquatting-and-other-package-management-attacks.html) 57 | ## Standards 58 | - OWASP Software Component Verification Standard (OWASP SCVS) (link [owasp.org](https://owasp.org/www-project-software-component-verification-standard/)) 59 | - Reproducable Builds (link [https://reproducible-builds.org/](https://reproducible-builds.org/)) 60 | 61 | 62 | ## Talks 63 | - DEVELOPERS AS A MALWARE DISTRIBUTION VEHICLE (link: [vimeo](https://vimeo.com/287728855)) 64 | - Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: [youtube](https://www.youtube.com/watch?v=JZMrzJ1bY3E)) 65 | - The Evolution of the Software Supply Chain Attack (link: [youtube](https://www.youtube.com/watch?v=4onCKbtWszQ&t=2s)) 66 | - Learning with ReversingLabs: Protecting Applications from Software Supply Chain Attack Whiteboard (link: [youtube](https://www.youtube.com/watch?v=wHHN0tQDrvs&t=2s)) 67 | - Cyber Summit 2020: Security in the Software Supply Chain (link: [youtube](https://www.youtube.com/watch?v=S_8XvXicoMc)) 68 | - Developing a Security Mindset: Practical Lessons for Pythonistas (link: [youtube](https://www.youtube.com/watch?v=MuSjyBF0Pac&ab_channel=PyTexas)) 69 | - JavaScript Supply Chain Security - Adam Baldwin (link : [youtube](https://www.youtube.com/watch?v=HDo2iOlkbyc&ab_channel=LocoMocoSec%3AHawaiiProductSecurityConference)) 70 | - Collaborating to Improve Open Source Security: How the Ecosystem Is Stepping Up (link [youtube](https://www.youtube.com/watch?v=tHwLCDrs1zQ&feature=youtu.be&ab_channel=RSAConference)) 71 | - NDSS 2021 Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages (link [youtube](https://www.youtube.com/watch?v=WM6S5paxueA&ab_channel=NDSSSymposium)) 72 | - NDSS 2021 Day 2 Keynote: Oversupplied: The Solar Winds attack (link [youtube](https://www.youtube.com/watch?v=58ZQgARtSQ4&ab_channel=NDSSSymposium)) 73 | - How to Avoid the ‘Dependency Confusion’ Software Supply Chain Hack 74 | (link [sonatype](https://play.sonatype.com/watch/uawNU5vMKMFco4sPHJDFn5?utm_campaign=Q1%202021%3A%20International%20Dependency%20Confusion%20Webinar&utm_medium=email&_hsmi=114288656&_hsenc=p2ANqtz--JWLQAuknODp6XW2zfuD5LLb54RoPi3IvoB-oF1o9PrQeMwo0zWEdTJ5YblzSaltzV7mCZO1YoXLU_UhYrw55cWiaL6Q&utm_content=114288656&utm_source=hs_email)) 75 | - USENIX Enigma 2021 - Breaking Trust – Shades of Crisis Across an Insecure Software Supply Chain (link [youtube](https://www.youtube.com/watch?v=V-i1v5JvwJ4&t=1215s&ab_channel=USENIXEnigmaConference)) 76 | - Perspectives on the SolarWinds Incident (link [IEEE](https://www.computer.org/csdl/magazine/sp/2021/02/09382367/1saZVPHhZew)) 77 | - SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? (link [IEEE](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9382358)) 78 | - Are we forever doomed to software supply chain security? (link [Youtube](https://www.youtube.com/watch?v=qzpnplMu8E4&ab_channel=Snyk)) 79 | - Secure Software Supply Chains for Python (link [Youtube](https://www.youtube.com/watch?v=VWWgkF-0cDQ&ab_channel=PyConUS)) 80 | 81 | ## Dataset 82 | - [Backstabbers-Knife-Collection](https://dasfreak.github.io/Backstabbers-Knife-Collection/) 83 | - [Bad packages from the pypi repository](https://github.com/hannob/pypi-bad) 84 | - [software-supply-chain-compromises (IQTLabs)](https://github.com/IQTLabs/software-supply-chain-compromises) 85 | - [DataDog (PyPI samples)](https://github.com/DataDog/security-labs-pocs/commit/33b827eafd40c15c862ba035c9ce9ec25471c4dd) 86 | 87 | ## Real-world attacks 88 | - FAQ on the xz-utils backdoor (CVE-2024-3094) [Github](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27) 89 | - [Compromised npm Package: event-stream](https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502) 90 | - https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/ 91 | - Pytosquatting (https://pytosquatting.overtag.dk/) 92 | - https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord-and-browser-files/ 93 | - https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/?ftag=COS-05-10aaa0g&taid=5fc7542c9870190001e52f2f&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter 94 | - 11 Malicious PyPI Python Libraries Caught Stealing Discord Tokens and Installing Shells (link [https://thehackernews.com](https://thehackernews.com/2021/11/11-malicious-pypi-python-libraries.html?fbclid=IwAR0RWW41nGbaTAibWkiDwB4ZHJ45aZh9-CzPoz9za9uxaulGEOsD6Or7FEU)) 95 | - Dependency Confusion attacks [medium.com](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) 96 | - Breach of software maker used to backdoor ecommerce server [https://arstechnica.com/](https://arstechnica.com/information-technology/2022/09/breach-of-software-maker-used-to-backdoor-as-many-as-200000-servers/) 97 | - Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” [www.fortinet.com](https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps) 98 | - 3CX Supply Chain Attack — Here's What We Know So Far [https://thehackernews.com](https://thehackernews.com/2023/03/3cx-supply-chain-attack-heres-what-we.html?fbclid=IwAR1Rp2rofwNnNvVW1tJw0HB1eVa4AnDWjZ0CAc4lc84rm5wyiSuyfoauZLk) 99 | ## Preventions/Countermeasures 100 | - Typosquatting and Combosquatting Attacks on the Python Ecosystem (link [ieee](https://ieeexplore.ieee.org/abstract/document/9229803)). 2020. 101 | - Malware Checks (link [https://warehouse.readthedocs.io/](https://warehouse.readthedocs.io/development/malware-checks.html#malware-checks)) 102 | - GitHub will require 2FA for some NPM registry users (link [https://www.infoworld.com](https://www.infoworld.com/article/3641237/github-will-require-2fa-for-some-npm-registry-users.html)) 103 | 104 | 105 | ## Conferences 106 | - [Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses](https://dl.acm.org/doi/proceedings/10.1145/3560835) 107 | --------------------------------------------------------------------------------