The 33rd USENIX Security Conference has accepted a research article by Cheng Huang's team from the School of Cyberspace Science and Engineering, SCU on the detection of NPM malicious software packages "DONAPI: Malicious NPM Packages Detecting Using Behavior Sequence Knowledge Mapping." Associate professor Cheng Huang is the first author of the article, and SCU is the sole corresponding work unit.

The USENIX Security Conference was first held in 1990. It is one of the four top international academic conferences in the field of information security, along with IEEE S&P, ACM CCS, and NDSS. It is also recommended as an A-class conference by China Computer Federation. This article is the first paper that SCU has published as the first work unit at this conference, representing a new breakthrough in our university's information security research.

With the increasing popularity of modularity in software development, package managers and language ecosystems have also emerged. Among them, NPM (node package manager) stands out as the most widely used software package manager. It hosts over 2 million third-party open source libraries, greatly simplifying the process of building code. However, recent research reports have shown that package managers have been abused by attackers to spread malware, posing significant security risks to developers and end-users. For example, eslint-scope (a software package that is downloaded millions of times a week in NPM) has been stolen from developers, resulting in code poisoning.

To conduct large-scale analysis and induction of NPM supply chain attack samples, this study first synchronized a local software package cache containing over 3.4 million software packages in almost real-time in order to obtain more details of software package code. Furthermore, manual inspection and API sequence analysis were conducted on malicious software packages collected from public datasets and security reports, resulting in the establishment of a hierarchical classification framework and behavior knowledge base that covers different sensitive behaviors.

Based on the above knowledge, the team has implemented a malicious NPM software package automatic detector (Donapi) that combines dynamic and static analysis. It uses code refactoring techniques and static analysis to preliminarily determine the degree of malice software packages, and then extracts dynamic API call sequences to confirm and identify confusing content that static analysis cannot handle separately. Finally, the malicious software packages are classified and labeled based on the constructed behavior knowledge base.

At length, 325 malicious samples were identified in actual detection (confirmed manually), and two rare API calls and 246 API call sequences that did not appear in known samples were discovered.

About the author:

Dr. Cheng Huang, Ph.D. is an associate professor, and master student advisor. He has long been committed to scientific research and talent cultivation in cyberspace security in areas such as network attack and defense, network pollution governance, and application security.