skip to main content
10.1145/3597503.3639199acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains

Published: 12 April 2024 Publication History

Abstract

Rogue updates, an important type of software supply-chain attack in which attackers conceal malicious code inside updates to benign software, are a growing problem due to their stealth and effectiveness. We design and implement RogueOne, a system for detecting rogue updates to JavaScript packages. RogueOne uses a novel differential data-flow analysis to capture how an update changes a package's interactions with external APIs. Using an efficient form of abstract interpretation that can exclude unchanged code in a package, it constructs an object data-flow relationship graph (ODRG) that tracks data-flows among objects. RogueOne then maps objects to trust domains, a novel abstraction which summarizes trust relationships in a package. Objects are assigned a trust domain based on whether they originate in the target package, a dependency, or in a system API. RogueOne uses the ODRG to build a set of data-flows across trust domains. It compares data-flow sets across package versions to detect untrustworthy new interactions with external APIs. We evaluated RogueOne on hundreds of npm packages, demonstrating its effectiveness at detecting rogue updates and distinguishing them from benign ones. RogueOne achieves high accuracy and can be more than seven times as effective in detecting rogue updates and avoiding false positives compared to other systems built to detect malicious packages.

References

[1]
Gábor Antal, Péter Hegedus, Zoltán Tóth, Rudolf Ferenc, and Tibor Gyimóthy. 2018. Static JavaScript Call Graphs: A Comparative Study. In Proceedings of the 2018 IEEE 18th International Working Conference on Source Code Analysis and Manipulation (SCAM '18). Madrid, Spain, 177--186.
[2]
Gábor Antal, Zoltán Tóth, Péter Hegedüs, and Rudolf Ferenc. 2020. Enhanced bug prediction in JavaScript Programs with Hybrid Call-Graph Based Invocation Metrics. Technologies 9, 1 (2020), 3.
[3]
Olivier Arteau. 2018. Prototype Pollution Attack in NodeJS Application. NorthSec. Retrieved 2 Feb 2023 from https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
[4]
Steven Arzt and Eric Bodden. 2016. StubDroid: Automatic Inference of Precise Data-Flow Summaries for the Android Framework. In Proceedings of the 38th International Conference on Software Engineering (ICSE '16). Austin, Texas, 725--735.
[5]
Axios 2024. Minimal Example | Axios Docs. Axios. Retrieved 12 Jan 2024 from https://axios-http.com/docs/example
[6]
SungGyeong Bae, Hyunghun Cho, Inho Lim, and Sukyoung Ryu. 2014. SAFE-WAPI: Web API Misuse Detector for Web Applications. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE '14). Hong Kong, China, 507--517.
[7]
Zhihao Bai, Ke Wang, Hang Zhu, Yinzhi Cao, and Xin Jin. 2021. Runtime Recovery of Web Applications under Zero-Day ReDoS Attacks. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP '21). San Francisco, CA, 1575--1588.
[8]
Yinzhi Cao, Chao Yang, Vaibhav Rastogi, Yan Chen, and Guofei Gu. 2015. Abusing Browser Address Bar for Fun and Profit - An Empirical Investigation of Add-On Cross Site Scripting Attacks. In Proceedings of the International Conference on Security and Privacy in Communication Networks. Beijing, China, 582--601.
[9]
Madhurima Chakraborty, Renzo Olivares, Manu Sridharan, and Behnaz Hassanshahi. 2022. Automatic Root Cause Quantification for Missing Edges in JavaScript Call Graphs. In Proceedings of the 36th European Conference on Object-Oriented Programming (ECOOP '22), Vol. 222. Berlin, Germany, 3:1--3:28.
[10]
Yaohui Chen, Yuping Li, Long Lu, Yueh-Hsun Lin, Hayawardh Vijayakumar, Zhi Wang, and Xinming Ou. 2018. InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android. In Proceedings of the 25th ISOC Network and Distributed System Security Symposium (NDSS '18). The Internet Society, San Diego, CA. https://par.nsf.gov/servlets/purl/10053521
[11]
Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL '77). Los Angeles, California, 238--252.
[12]
Yaniv David, Xudong Sun, Raphael J Sofaer, Aditya Senthilnathan, Junfeng Yang, Zhiqiang Zuo, Guoqing Harry Xu, Jason Nieh, and Ronghui Gu. 2022. UPGRADVISOR: Early Adopting Dependency Updates Using Hybrid Program Analysis and Hardware Tracing. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI '22). Carlsbad, CA, 751--767. https://par.nsf.gov/biblio/10356086
[13]
James C Davis, Eric R Williamson, and Dongyoon Lee. 2018. A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning. In Proceedings of the 27th USENIX Security Symposium (SEC '18). Baltimore, MD, 343--359. https://www.usenix.org/conference/usenixsecurity18/presentation/davis
[14]
Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P. Kemerlis. 2020. sysfilter: Automated System Call Filtering for Commodity Software. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID '20). Virtual, 459--474. https://www.usenix.org/conference/raid2020/presentation/demarinis
[15]
J Dijkstra. 2014. Evaluation of static JavaScript call graph algorithms. Ph.D. Dissertation. Software Analysis and Transformation.
[16]
dominictarr. 2023. event-stream. Retrieved 2 February 2023 from https://github.com/dominictarr/event-stream/issues/116
[17]
Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 28th Annual Network and Distributed System Security Symposium (NDSS '21). The Internet Society, Virtual.
[18]
André Takeshi Endo and Anders Møller. 2020. NodeRacer: Event Race Detection for Node.js Applications. In IEEE 13th International Conference on Software Testing, Validation and Verification (ICST '20). Porto, Portugal, 120--130.
[19]
Dawson Engler, Ben Chelf, Andy Chou, and Seth Hallem. 2008. A Couple Billion Lines of Code Later: Static Checking in the Real World. In 17th USENIX Security Symposium (SEC '08). San Jose, CA. https://www.usenix.org/conference/17th-usenix-security-symposium/couple-billion-lines-code-later-static-checking-real-world
[20]
Aurore Fass, Michael Backes, and Ben Stock. 2019. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). London, United Kingdom, 1899--1913.
[21]
Aurore Fass, Michael Backes, and Ben Stock. 2019. JStap: A Static Pre-Filter for Malicious JavaScript Detection. In Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC '19). San Juan, Puerto Rico, 257--269.
[22]
Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock. 2021. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Virtual, 1789--1804.
[23]
Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient Construction of Approximate Call Graphs for JavaScript IDE Services. In Proceedings of the 2013 35th International Conference on Software Engineering (ICSE '13). San Francisco, CA, 752--761.
[24]
OpenJS Foundation. 2023. Global objects | Node.js v21.1.0 Documentation. Retrieved 13 November 2023 from https://nodejs.org/api/globals.html
[25]
OpenJS Foundation. 2023. Modules: CommonJS modules | Node.js v21.2.0 Documentation. Retrieved 15 November 2023 from https://nodejs.org/api/modules.html#moduleexports
[26]
OpenJS Foundation. 2023. npm. Retrieved 4 February 2023 from https://www.npmjs.com
[27]
OpenJS Foundation. 2023. scripts | npm Docs. Retrieved 12 April 2023 from https://docs.npmjs.com/cli/v9/using-npm/scripts
[28]
Adrien Ghosn, Marios Kogias, Mathias Payer, James R Larus, and Edouard Bugnion. 2021. Enclosure: language-based restriction of untrusted libraries. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '21). Virtual, 255--267.
[29]
Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Points-to and Taint Analysis. Proc. ACM Program. Lang. 1, OOPSLA, Article 102 (Oct 2017), 28 pages.
[30]
Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In Proceedings of the 2009 International Static Analysis Symposium (SAS '09). Los Angeles, CA, 238--255.
[31]
Mingqing Kang. 2023. fast. Retrieved 14 November 2023 from https://github.com/fast-sp-2023/fast
[32]
Mingqing Kang, Yichao Xu, Song Li, Rigel Gjomemo, Jianwei Hou, V.N. Venkatakrishnan, and Yinzhi Cao. 2023. Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability. In Proceedings of the IEEE Symposium on Security and Privacy (SP '23). San Francisco, CA, 1059--1076.
[33]
Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites. In 29th Annual Network and Distributed System Security Symposium, (NDSS '22). The Internet Society, San Diego, CA. https://www.ndss-symposium.org/ndss-paper/auto-draft-207/
[34]
Andrei Kashcha. 2023. npm rank. Retrieved 2 February 2023 from https://gist.github.com/anvaka/8e8fa57c7ee1350e3491
[35]
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static Analysis Platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE '14). Hong Kong, China, 121--132.
[36]
Dongsun Kim, Jaechang Nam, Jaewoo Song, and Sunghun Kim. 2013. Automatic Patch Generation Learned from Human-written Patches. In Proceedings of the 2013 35th International Conference on Software Engineering (ICSE '13). San Francisco, CA, 802--811.
[37]
Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID '20). Virtual, 121--134. https://www.usenix.org/conference/raid2020/presentation/koishybayev
[38]
P. Ladisa, H. Plate, M. Martinez, and O. Barais. 2023. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP '23). San Francisco, CA, 1509--1526.
[39]
Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In 19th International Workshop on Foundations of Object-Oriented Languages (FOOL '12), Vol. 10. Tuscon, AZ. https://github.com/sukyoung/safe
[40]
Song Li. 2021. ODGen Source Code. Retrieved 11 January 2024 from https://github.com/Song-Li/ODGen/.
[41]
Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2021. Detecting Node.Js Prototype Pollution Vulnerabilities via Object Lookup Analysis. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Athens, Greece, 268--279.
[42]
Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In 31st USENIX Security Symposium (SEC '22). Boston, MA, 143--160. https://www.usenix.org/conference/usenixsecurity22/presentation/li-song
[43]
Fan Long, Peter Amidon, and Martin Rinard. 2017. Automatic Inference of Code Transforms for Patch Generation. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017). Paderborn, Germany, 727--739.
[44]
Fan Long and Martin Rinard. 2016. Automatic Patch Generation by Learning Correct Code. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '16). St. Petersburg, FL, 298--312.
[45]
Blake Loring, Duncan Mitchell, and Johannes Kinder. 2017. ExpoSE: Practical Symbolic Execution of Standalone JavaScript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software (SPIN '17). Santa Barbara, CA, 196--199.
[46]
Marvin Moog, Markus Demmel, Michael Backes, and Aurore Fass. 2021. Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild. In Proceedings of the 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '21). Taipei, Taiwan, 569--580.
[47]
Mozilla. 2023. Inheritance and the prototype chain - JavaScript | MDN. Retrieved 13 November 2023 from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Inheritance_and_the_prototype_chain
[48]
Benjamin Barslev Nielsen, Behnaz Hassanshahi, and François Gauthier. 2019. Nodest: Feedback-Driven Static Analysis of Node.Js Applications. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE '19). Tallinn, Estonia, 455--465.
[49]
Benjamin Barslev Nielsen, Martin Toldam Torp, and Anders Møller. 2021. Modular Call Graph Construction for Security Scanning of Node.Js Applications. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA '21). Virtual, 29--41.
[50]
Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '20). Lisbon, Portugal, 23--43.
[51]
Chinenye Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, and James C. Davis. 2022. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. In Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED'22). Los Angeles, CA, 15--24.
[52]
Jarrod Overson. 2021. How Two Malicious NPM Packages Targeted & Sabotaged Others. Retrieved 2 February 2023 from https://jsoverson.medium.com/how-two-malicious-npm-packages-targeted-sabotaged-one-other-fed7199099c8
[53]
Joonyoung Park, Jihyeok Park, Dongjun Youn, and Sukyoung Ryu. 2021. Accelerating JavaScript Static Analysis via Dynamic Shortcuts. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE '21). Athens, Greece, 1129--1140.
[54]
Mathias Payer and Thomas R Gross. 2013. Hot-patching A Web Server: A Case Study of ASAP Code Repair. In Proceedings of the 11th Eleventh Annual Conference on Privacy, Security and Trust (PST '13). Tarragona, Spain, 143--150.
[55]
José Fragoso Santos, Petar Maksimović, Théotime Grohens, Julian Dolby, and Philippa Gardner. 2018. Symbolic Execution for JavaScript. In Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming (PPDP '18). Frankfurt am Main, Germany, Article 11, 14 pages.
[56]
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A Symbolic Execution Framework for JavaScript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). Oakland, CA, 513--528.
[57]
Max Schaefer. 2023. Amalfi Classifier. Private email communication.
[58]
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proceedings of the 2010 IEEE Symposium on Security and privacy (SP '10). Oakland, CA, 317--331.
[59]
Dominik Seifert, Michael Wan, Jane Hsu, and Benson Yeh. 2022. An Asynchronous Call Graph for JavaScript. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP '22). Pittsburgh, PA, 29--30.
[60]
Adriana Sejfia and Max Schafer. 2022. Practical Automated Detection of Malicious Npm Packages. In Proceedings of the 44th International Conference on Software Engineering (ICSE '22). Pittsburgh, PA, 1681--1692.
[61]
Koushik Sen, Swaroop Kalasapur, Tasneem Brutch, and Simon Gibbs. 2013. Jalangi: A Selective Record-Replay and Dynamic Analysis Framework for JavaScript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE '13). Saint Petersburg, Russia, 488--498.
[62]
Ax Sharma. 2020. Trick or treat: that 'twilio-npm' package is brandjacking malware in disguise! Retrieved 10 March 2023 from https://blog.sonatype.com/twilio-npm-is-brandjacking-malware-in-disguise
[63]
Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js. In Proceedings of the 32th USENIX Security Symposium (SEC '23). Anaheim, CA. https://www.usenix.org/conference/usenixsecurity23/presentation/shcherbakov
[64]
Youkun Shi, Yuan Zhang, Tianhan Luo, Xiangyu Mao, Yinzhi Cao, Ziwen Wang, Yudi Zhao, Zongan Huang, and Min Yang. 2022. Backporting Security Patches of Web Applications: A Prototype Design and Implementation on Injection Vulnerability Patches. In 31st USENIX Security Symposium (SEC '22). Boston, MA, 1993--2010. https://www.usenix.org/conference/usenixsecurity22/presentation/shi
[65]
Snyk. 2022. A post-mortem of the malicious event-stream backdoor | Snyk. Retrieved 2 February 2023 from https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor
[66]
Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In Proceedings of the 27th USENIX Security Symposium (SEC '18). Baltimore, MD, 361--376. https://www.usenix.org/conference/usenixsecurity18/presentation/staicu
[67]
Liran Tal. 2019. Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem. Retrieved 1 August 2023 from https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem
[68]
Matthew Taylor, Ruturaj K. Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending Against Package Typosquatting. In Proceedings of the 14th International Conference on Network and System Security (NSS '20), Vol. 12570. Springer, Melbourne, Australia, 112--131.
[69]
Tajkia Rahman Toma and Md Shariful Islam. 2014. An efficient mechanism of generating call graph for JavaScript using dynamic analysis in web application. In Proceedings of the International Conference on Informatics, Electronics & Vision (ICIEV '14). Dhaka, Bangladesh, 1--6.
[70]
Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications. ACM Sigplan Notices 44, 6 (2009), 87--97.
[71]
Ruturaj K. Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2021. Security Issues in Language-based Software Ecosystems. arXiv:1903.02613 http://arxiv.org/abs/1903.02613
[72]
Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021. Preventing Dynamic Library Compromise on Node.Js via RWX-Based Privilege Reduction. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS '21). Virtual, 1821--1838.
[73]
Ming Wen, Junjie Chen, Rongxin Wu, Dan Hao, and Shing-Chi Cheung. 2018. Context-Aware Patch Generation for Better Automated Program Repair. In Proceedings of the 40th International Conference on Software Engineering (ICSE '18). Gothenburg, Sweden, 1--11.
[74]
Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing Hidden Properties to Attack the Node.js Ecosystem. In Proceedings of the 30th USENIX Security Symposium (SEC '21). Virtual, 2951--2968. https://www.usenix.org/conference/usenixsecurity21/presentation/xiao
[75]
Zhengzi Xu, Yulong Zhang, Longri Zheng, Liangzhao Xia, Chenfu Bao, Zhi Wang, and Yang Liu. 2020. Automatic Hot Patch Generation for Android Kernels. In 29th USENIX Security Symposium (SEC '20). Virtual, 2397--2414. https://www.usenix.org/conference/usenixsecurity20/presentation/xu
[76]
Mingxue Zhang and Wei Meng. 2021. JSISOLATE: Lightweight in-Browser JavaScript Isolation. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE '21). Athens, Greece, 193--204.
[77]
Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with High Risks: A Study of Security Threats in the npm Ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC '19). Santa Clara, CA, 995--1010. https://www.usenix.net/system/files/sec19-zimmermann.pdf

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering
May 2024
2942 pages
ISBN:9798400702174
DOI:10.1145/3597503
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

  • Faculty of Engineering of University of Porto

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 April 2024

Check for updates

Author Tags

  1. JavaScript
  2. malicious updates
  3. malware detection
  4. Node.js
  5. supplychain security

Qualifiers

  • Research-article

Funding Sources

  • NSF
  • DARPA

Conference

ICSE '24
Sponsor:

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 95
    Total Downloads
  • Downloads (Last 12 months)95
  • Downloads (Last 6 weeks)10
Reflects downloads up to 12 Jan 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media