The OpenSSF has announced a prototype version of the Package Analysis project, aimed at identifying malicious packages in popular open source repositories in order to better secure critical projects.
According to the announcement, the project “seeks to understand the behavior and capabilities of packages available on open source repositories.” It also “tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously. This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.”
In one month of analysis, the project identified more than 200 malicious packages uploaded to PyPI and npm, the announcement states. The project is part of the OpenSSF Securing Critical Projects Working Group, and you can learn more on GitHub.