> Our interviews identified only a single Linux distribution, Wolfi OS, that performs active malware scanning.
Seems like several authors are affiliated with Chainguard that created Wolfi.
kswagage 34 days ago [-]
To their credit they do declare their affiliation to Chainguard on the first page of the paper. (It's half the authors of the paper for those who don't want to read)
ashishbijlani 34 days ago [-]
Good to see Packj[1] as one of the malware scanners used.
Packj detects malicious PyPI/NPM/Ruby/PHP/etc. dependencies using behavioral analysis. It uses static+dynamic code analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect bad actors (e.g., typo squatting).
warkdarrior 34 days ago [-]
Interesting, thanks for the pointer. I'll have to see how easy it is to bypass.
ruthmarx 34 days ago [-]
Let us know how far you get!
SamuelAdams 34 days ago [-]
This study seems flawed. It references the Xz backdoor, but then talks about malware in Linux distribution packages?
It would make more sense to study and interview package management systems like PyPy and Nuget instead.
worksonmine 34 days ago [-]
How is it flawed? If the intent is to investigate Linux packages isn't the repositories of Linux distributions the best place to study?
Debian for example packages PyPi packages and the maintainer could introduce a backdoor in the version provided by Debian. Only focusing on PyPi wouldn't catch that case.
SV_BubbleTime 34 days ago [-]
Would a XZ hack have not worked on a Linux machine? (It would have)
Are researching PyPy and Pip and Nuget and VSCode Extensions and AI pickle models all exclusive?
Seems like several authors are affiliated with Chainguard that created Wolfi.
1. https://github.com/ossillate-inc/packj
Packj detects malicious PyPI/NPM/Ruby/PHP/etc. dependencies using behavioral analysis. It uses static+dynamic code analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect bad actors (e.g., typo squatting).
It would make more sense to study and interview package management systems like PyPy and Nuget instead.
Debian for example packages PyPi packages and the maintainer could introduce a backdoor in the version provided by Debian. Only focusing on PyPi wouldn't catch that case.
Are researching PyPy and Pip and Nuget and VSCode Extensions and AI pickle models all exclusive?