GitLab recently announced the release of new open source tool ‘Package Hunter’ designed to assist software developers identify malicious code in their projects’ dependencies. The beta software is said to identify malicious dependencies through runtime monitoring.
While there are several inherent risks tagged with implementing open source libraries in software, the use of packages with malicious code poses vulnerability either due to compromised package or because of reliance on compromised dependencies. Hence, identifying the malicious code becomes essential to ensure security, with increasing cases of threats compromising open source supply chain.
The Package Hunter would detect malicious code executed within an applications’ dependencies, that may not be identified by scanners. This tool installs the dependencies in a sandbox and keeps track on system calls executed during installation to detect any suspicious activity. It would report to the user for further examination.
The tool has been available on the GitLab since last November and is now open sourced, with support for NodeJS modules and Ruby Gems.