HomeWinBuzzer NewsGoogle Backs OpenSSF Package Analysis Project with Malicious Open Source Package Detection

Google Backs OpenSSF Package Analysis Project with Malicious Open Source Package Detection

Google will help the OpenSSF Package Analysis Project by detecting malicious open source packages and providing access to BigQuery.


has a rich history with software… such as the company's Android mobile platform. However, there are inherent security risks in open source. In fact, Android is a good example of software that is available to everyone that can be manipulated by threat actors. To help fight this issue with open source software, Google is supporting the Open Source Security Foundation's (OpenSSF) Package Analysis Project.

The company says it will help OpenSSF to scale the Package Analysis Project, which brings the ability to scan open source packages. Google will allow results from analysis to be stored in its BigQuery fully managed serverless data warehouse.

With this support, users will get an alert if malicious open source software is uploaded to a repository. Google points out that the method will also provide more information on security through the software supply chain.

Google has analysed 200 malicious packages that were uploaded on PyPI and NPM. You can see the results here, but Google expands on the details in a blog post:

“PyPI: discordcmd

This Python package will attack the desktop client for Discord on Windows. It was found by spotting the unusual requests to raw.githubusercontent.com, Discord API, and ipinfo.io.

NPM: @roku-web-core/ajax

During install, this NPM package exfiltrates details of the machine it is running on and then opens a reverse shell, allowing the remote execution of commands.”

Ongoing Risk

Google suggests most malicious packages are from security researchers because of the lack of sophistication. In other words, researchers are investigating malicious packages instead of perpetuating them.

Still, the company points out there must be improvements in methods for vetting packages that land on repositories. Google calls for an open standard for reporting and centralizing test results. Of course, that is exactly what the OpenSSF Package Analysis Project aims to deliver.

Tip of the day: Do you sometimes face issues with Windows search where it doesn't find files or return results? Check our tutorial to see how to fix Windows search via various methods.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News