Practical automated detection of malicious npm packages
The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
over 1.7 million packages ranging from simple utility libraries to complex frameworks and …
Silent spring: Prototype pollution leads to remote code execution in Node. js
Prototype pollution is a dangerous vulnerability affecting prototype-based languages like
JavaScript and the Node. js platform. It refers to the ability of an attacker to inject properties …
JavaScript and the Node. js platform. It refers to the ability of an attacker to inject properties …
Modular call graph construction for security scanning of node. js applications
Most of the code in typical Node. js applications comes from third-party libraries that consist
of a large number of interdependent modules. Because of the dynamic features of …
of a large number of interdependent modules. Because of the dynamic features of …
Mining node. js vulnerabilities via object dependence graph and query
Node. js is a popular non-browser JavaScript platform that provides useful but sometimes
also vulnerable packages. On one hand, prior works have proposed many program analysis …
also vulnerable packages. On one hand, prior works have proposed many program analysis …
Software supply chain: review of attacks, risk assessment strategies and security controls
The software product is a source of cyber-attacks that target organizations by using their
software supply chain as a distribution vector. As the reliance of software projects on open …
software supply chain as a distribution vector. As the reliance of software projects on open …
C2c: Fine-grained configuration-driven system call filtering
Configuration options allow users to customize application features according to the desired
requirements. While the code that corresponds to disabled features is never executed, it still …
requirements. While the code that corresponds to disabled features is never executed, it still …
Wolf at the door: Preventing install-time attacks in npm with latch
E Wyss, A Wittman, D Davidson, L De Carli - … of the 2022 ACM on Asia …, 2022 - dl.acm.org
The npm software ecosystem allows developers to easily import code written by others.
However, manual vetting of every individual installed component is made difficult in many …
However, manual vetting of every individual installed component is made difficult in many …
Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications
J Rack, CA Staicu - Proceedings of the 2023 ACM SIGSAC Conference …, 2023 - dl.acm.org
In recent years, we have seen an increased interest in studying the software supply chain of
user-facing applications to uncover problematic third-party dependencies. Prior work shows …
user-facing applications to uncover problematic third-party dependencies. Prior work shows …
Scaling javascript abstract interpretation to detect and exploit node. js taint-style vulnerability
Taint-style vulnerabilities, such as OS command injection and path traversal, are common
and severe software weaknesses. There exists an inherent trade-off between analysis …
and severe software weaknesses. There exists an inherent trade-off between analysis …
SecBench. js: An executable security benchmark suite for server-side JavaScript
MHM Bhuiyan, AS Parthasarathy… - 2023 IEEE/ACM 45th …, 2023 - ieeexplore.ieee.org
NPM is the largest software ecosystem in the world, offering millions of free, reusable
packages. In recent years, various security threats to packages published on npm have …
packages. In recent years, various security threats to packages published on npm have …