GitLab has released Package Hunter, a tool that aims to discover malicious code in dependencies, or third-party libraries that developers add to their own code, before it can do any damage. The tool is open source and released for free.
Package Hunter installs the dependencies in a sandbox environment and monitors all system calls the dependencies make during installation. If there is a suspicious call in between, the user receives a notification so that he can take action. Currently, Package Hunter supports NodeJS modules and Ruby Gems.
GitLab developed Package Hunter partly because it hopes that it will give developers more confidence in using public libraries. It is easy to reuse public libraries and add new functions, but there is a risk that bugs or malicious code will be added to their software through these dependencies.
Research from 2020 shows that open source packages are regularly abused for supply chain attacks. For example, malicious code was added last year to the popular package event stream. Start this year published researcher Alex Birsan how he could use dependencies to penetrate Apple and Microsoft, among others.
GitLab has been testing Package Hunter since November last year and has now released the tool for free and open source. In this way, GitLab hopes that developers will continue to contribute to the project and report bugs. Package Hunter can handle any project added with the GitLab CI template.
Pack Hunter