Skip to content

Latest commit

 

History

History
106 lines (99 loc) · 13.6 KB

README.md

File metadata and controls

106 lines (99 loc) · 13.6 KB

software_supply_chain_papers

This repository contains a list of papers about software supply chain

Papers/Reports

  • Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: archive). 2020.
  • Towards detection of software supply chain attacks by forensic artifacts (link: acm). 2020.
  • Measuring and preventing supply chain attacks on package managers (link: archive). 2020.
  • SpellBound: Defending Against Package Typosquatting (link: archive). 2020
  • Security issues in language-based sofware ecosystems (link archive). 2019.
  • Typosquatting and Combosquatting Attacks on the Python Ecosystem (link IEEE). 2020.
  • Small world with high risks: A study of security threats in the npm ecosystem (link Usenix). 2019.
  • BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain (link atlanticcouncil). 2020.
  • A Look In the Mirror: Attacks on Package Managers (link acm). 2008.
  • in-toto: Providing farm-to-table guarantees for bits and bytes (link usenix). 2019.
  • Software Distribution Transparency and Auditability (link archive). 2017.
  • Malware in the SGX supply chain: Be careful when signing enclaves! (link IEEE). 2020.
  • Investigating the Reproducbility of NPM packages (link thesis). 2020.
  • The Dangers of Malicious Modulesmedium
  • Attacks on Package Managers (link thesis). 2019.
  • Poster: Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (link ACM)
  • Package mis-management (link Github)
  • If You’ve Seen One, You’ve Seen Them All: Leveraging AST Clustering Using MCL to Mimic Expertise to Detect Software Supply Chain Attacks (link Arxiv)
  • Look before you pip
  • Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software (link ACM)
  • Nearly 18,000 SolarWinds Customers Installed Backdoored Software (linkthehackernews)
  • For Good Measure Counting Broken Links: A Quant’s View of Software Supply Chain Security (link Usenix)
  • What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm (link snyk.io)
  • Software Transparency: Part 1 (link blog.azuki.vip)
  • Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub (link arxiv.org)
  • I Know What You Imported Last Summer: A study of security threats in the Python ecosystem (link arxiv.org)
  • PHP's Git server hacked to add backdoors to PHP source code (link bleepingcomputer)
  • Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity (link googleblog)
  • Reproducible Builds: Increasing the Integrity of Software Supply Chains (link arxiv.org)
  • LastPyMile: Identifying the Discrepancy between Sources and Packages. (link securitylab.disi.unitn.it)
  • Introducing SLSA, an End-to-End Framework for Supply Chain Integrity. (link https://security.googleblog.com/)
  • Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware (link thehackernews)
  • Securing the open source supply chain by scanning for package registry credentials (link github.blog)
  • Software Supply Chain Angriffe (link bonndoc.ulb.uni-bonn.de)
  • NPM fixes private package names leak, serious authorization bug (link https://www.bleepingcomputer.com)
  • 8 Ways to backdoor a crate in Rust for fun and profit (link https://kerkour.com)
  • Open-Source Software Supply Chain Attacks Attack Tree Visualization and Survey (link https://survey.opensourceunchained.eu)
  • Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack
  • Taxonomy of Attacks on Open-Source Software Supply Chains Arxiv
  • Practical Automated Detection of Malicious npm Packages Arxiv
  • Malicious Packages Lurking in User-Friendly Python Package Index IEEE
  • A Survey on Common Threats in npm and PyPi Registries Arxiv
  • Towards Understanding and Securing the OSS Supply Chain PhD thesis
  • What are Weak Links in the npm Supply Chain? ICSE-SEIP 2022
  • A massive widespread malware attack on Github Twitter
  • Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems thehackernews
  • Taming Bad Python Packages: Assessing Python Malware Detectors with a Benchmark Dataset chainguard.dev
  • A Benchmark Comparison of Python Malware Detection Approaches arxiv.org
  • Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers checkmarx.com
  • SoK: Practical Detection of Software Supply Chain Attacks ACM
  • Report: PowerShell Gallery susceptible to typosquatting and other package-management attacks www.csoonline.com

Standards

Talks

  • DEVELOPERS AS A MALWARE DISTRIBUTION VEHICLE (link: vimeo)
  • Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (link: youtube)
  • The Evolution of the Software Supply Chain Attack (link: youtube)
  • Learning with ReversingLabs: Protecting Applications from Software Supply Chain Attack Whiteboard (link: youtube)
  • Cyber Summit 2020: Security in the Software Supply Chain (link: youtube)
  • Developing a Security Mindset: Practical Lessons for Pythonistas (link: youtube)
  • JavaScript Supply Chain Security - Adam Baldwin (link : youtube)
  • Collaborating to Improve Open Source Security: How the Ecosystem Is Stepping Up (link youtube)
  • NDSS 2021 Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages (link youtube)
  • NDSS 2021 Day 2 Keynote: Oversupplied: The Solar Winds attack (link youtube)
  • How to Avoid the ‘Dependency Confusion’ Software Supply Chain Hack (link sonatype)
  • USENIX Enigma 2021 - Breaking Trust – Shades of Crisis Across an Insecure Software Supply Chain (link youtube)
  • Perspectives on the SolarWinds Incident (link IEEE)
  • SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? (link IEEE)
  • Are we forever doomed to software supply chain security? (link Youtube)
  • Secure Software Supply Chains for Python (link Youtube)

Dataset

Real-world attacks

Preventions/Countermeasures

Conferences