GitLab launches open source tool for detecting malicious code in dependencies

GitLab has released Package Hunter, a tool that must discover malicious code in dependencies, or third-party libraries that developers add to their own code, before it can do any harm. The tool is open source and released for free.

Package Hunter installs the dependencies in a sandbox environment and monitors all system calls made by the depedencies during installation. If there is a suspicious call in between, the user will receive a notification, so that he can take action. Currently Package Hunter supports NodeJS modules and Ruby Gems.

GitLab developed Package Hunter partly because it hopes that this will give developers more confidence in using public libraries. It is easy to reuse public libraries and add new functions, but there is a risk that bugs or malicious code will be added to their software via these dependencies.

Research from 2020 shows that open source packages are regularly abused for supply chain attacks. For example, malicious code was added to the popular package event stream last year. Early this year, researcher Alex Birsan published how he could use dependencies to penetrate Apple and Microsoft, among others.

GitLab has been testing Package Hunter since November last year and has now released the tool for free and open source. In this way, GitLab hopes developers will continue to contribute to the project and report bugs. Package Hunter can be added to any project using the GitLab CI template.

Package Hunter