{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,26]],"date-time":"2025-03-26T01:01:28Z","timestamp":1742950888117,"version":"3.40.3"},"publisher-location":"Cham","reference-count":40,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031255373"},{"type":"electronic","value":"9783031255380"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-25538-0_24","type":"book-chapter","created":{"date-parts":[[2023,2,3]],"date-time":"2023-02-03T13:03:34Z","timestamp":1675429414000},"page":"450-469","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Bootstrapping Trust in\u00a0Community Repository Projects"],"prefix":"10.1007","author":[{"given":"Sangat","family":"Vaidya","sequence":"first","affiliation":[]},{"given":"Santiago","family":"Torres-Arias","sequence":"additional","affiliation":[]},{"given":"Justin","family":"Cappos","sequence":"additional","affiliation":[]},{"given":"Reza","family":"Curtmola","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,2,4]]},"reference":[{"key":"24_CR1","unstructured":"Aguirre, J.: Fake npm Roblox API Package Installs Ransomware and has a Spooky Surprise. https:\/\/blog.sonatype.com\/fake-npm-roblox-api-package-installs-ransomware-spooky-surprise (2021)"},{"key":"24_CR2","doi-asserted-by":"crossref","unstructured":"Barnes, R., Hoffman-Andrews, J., McCarney, D., Kasten, J.: Automatic Certificate Management Environment (ACME). RFC 8555 (Mar 2019). https:\/\/datatracker.ietf.org\/doc\/html\/rfc8555","DOI":"10.17487\/RFC8555"},{"key":"24_CR3","unstructured":"Barsan, A.: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. https:\/\/medium.com\/@alex.birsan\/dependency-confusion-4a5d60fec610\/ (February 2021)"},{"key":"24_CR4","unstructured":"Burt, J.: Supply Chain Flaws Found in Python Package Repository. https:\/\/www.esecurityplanet.com\/threats\/supply-chain-flaws-found-in-python-package-repository\/ (August 2021)"},{"key":"24_CR5","doi-asserted-by":"crossref","unstructured":"Cappos, J., Samuel, J., Baker, S., Hartman, J.H.: A look in the mirror: Attacks on package managers. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 565\u2013574. CCS \u201908, ACM, New York, NY, USA (2008)","DOI":"10.1145\/1455770.1455841"},{"key":"24_CR6","unstructured":"Cappos, J., Samuel, J., Baker, S., Hartman, J.H.: Package Management Security. Tech. rep., University of Arizona (2008)"},{"key":"24_CR7","unstructured":"Cimpanu, C.: Malware found in npm package with millions of weekly downloads. https:\/\/therecord.media\/malware-found-in-npm-package-with-millions-of-weekly-downloads\/ (October 2021)"},{"key":"24_CR8","doi-asserted-by":"crossref","unstructured":"Decan, A., Mens, T., Constantinou, E.: On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th International Conference on Mining Software Repositories, pp. 181\u2013191. MSR \u201918, ACM (2018)","DOI":"10.1145\/3196398.3196401"},{"key":"24_CR9","doi-asserted-by":"publisher","unstructured":"Garrett, K., Ferreira, G., Jia, L., Sunshine, J., K\u00e4stner, C.: Detecting suspicious package updates. In: Proceedings of the 41st International Conference on Software Engineering: New Ideas and Emerging Results, pp. 13\u201316. ICSE-NIER \u201919, IEEE Press (2019). https:\/\/doi.org\/10.1109\/ICSE-NIER.2019.00012","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"24_CR10","unstructured":"Goodin, D.: Software downloaded 30,000 times from PyPI ransacked developers\u2019 machines. https:\/\/arstechnica.com\/gadgets\/2021\/07\/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code\/ (July 2021)"},{"key":"24_CR11","unstructured":"Kuppusamy, T.K., Diaz, V., Cappos, J.: Mercury: Bandwidth-effective prevention of rollback attacks against community repositories. In: Proceedings of the 2017 USENIX Conference on Usenix Annual Technical Conference, pp. 673\u2013688. USENIX ATC \u201917 (2017)"},{"key":"24_CR12","unstructured":"Kuppusamy, T.K., Torres-Arias, S., Diaz, V., Cappos, J.: Diplomat: Using delegations to protect community repositories. In: 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pp. 567\u2013581 (2016)"},{"key":"24_CR13","unstructured":"Lakshmanan, R.: Two NPM Packages With 22 Million Weekly Downloads Found Backdoored. https:\/\/thehackernews.com\/2021\/11\/two-npm-packages-with-22-million-weekly.html (November 2021)"},{"key":"24_CR14","unstructured":"Rfc 8259. https:\/\/datatracker.ietf.org\/doc\/html\/rfc8259"},{"key":"24_CR15","doi-asserted-by":"crossref","unstructured":"Ruohonen, J., Hjerppe, K., Rindell, K.: A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI. In: Proceedings of the 18th International Conference on Privacy, Security and Trust (PST). IEEE (2021)","DOI":"10.1109\/PST52912.2021.9647791"},{"key":"24_CR16","unstructured":"Sharma, A.: Sonatype Catches New PyPI Cryptomining Malware. https:\/\/blog.sonatype.com\/sonatype-catches-new-pypi-cryptomining-malware-via-automated-detection\/ (June 2021)"},{"key":"24_CR17","unstructured":"Torres-Arias, S., Afzali, H., Kuppusamy, T.K., Curtmola, R., Cappos, J.: In-toto: Providing farm-to-table guarantees for bits and bytes. In: Proceedings of the 28th USENIX Conference on Security Symposium, pp. 1393\u20131410. SEC\u201919 (2019)"},{"key":"24_CR18","unstructured":"TUF: The Update Framework. https:\/\/www.updateframework.com\/"},{"key":"24_CR19","unstructured":"Vaidya, R.K., Carli, L.D., Davidson, D., Rastogi, V.: Security issues in language-based sofware ecosystems. CoRR abs\/1903.02613 (2019)"},{"key":"24_CR20","doi-asserted-by":"publisher","unstructured":"Vu, D.L., Pashchenko, I., Massacci, F., Plate, H., Sabetta, A.: Typosquatting and combosquatting attacks on the python ecosystem. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). pp. 509\u2013514 (2020). https:\/\/doi.org\/10.1109\/EuroSPW51379.2020.00074","DOI":"10.1109\/EuroSPW51379.2020.00074"},{"key":"24_CR21","unstructured":"Bitcoin gold issues critical alert. https:\/\/www.enterprisetimes.co.uk\/2017\/11\/27\/bitcoin-gold-issues-critical-alert"},{"key":"24_CR22","unstructured":"Npm packages disguised as roblox api code caught carrying ransomware. https:\/\/www.theregister.com\/2021\/10\/27\/npm_roblox_ransomware\/"},{"key":"24_CR23","unstructured":"Typosquatting attacks on rubygems. https:\/\/thehackernews.com\/2020\/04\/rubygem-typosquatting-malware.html"},{"key":"24_CR24","unstructured":"Introduction to Code Signing. https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/internet-explorer\/ie-developer\/platform-apis\/ms537361(v=vs.85)"},{"key":"24_CR25","unstructured":"Minimum Requirements for the Issuance and Mgmt. of Publicly-Trusted Code Signing Certificates. https:\/\/casecurity.org\/wp-content\/uploads\/2016\/09\/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf"},{"key":"24_CR26","unstructured":"Leading Certificate Authorities and Microsoft Introduce New Standards to Protect Consumers Online. https:\/\/casecurity.org\/2016\/12\/08\/leading-certificate-authorities-and-microsoft-introduce-new-standards-to-protect-consumers-online\/"},{"key":"24_CR27","unstructured":"Comprehensive Perl Archive Network. https:\/\/www.cpan.org\/"},{"key":"24_CR28","unstructured":"in-toto. https:\/\/in-toto.io\/"},{"key":"24_CR29","unstructured":"Keybase. https:\/\/keybase.io\/"},{"key":"24_CR30","unstructured":"Let\u2019s Encrypt. https:\/\/letsencrypt.org\/"},{"key":"24_CR31","unstructured":"ACME client implementation. https:\/\/letsencrypt.org\/docs\/client-options\/"},{"key":"24_CR32","unstructured":"Javascript Node package manager. https:\/\/npmjs.com"},{"key":"24_CR33","unstructured":"NPM download stats. https:\/\/npmcharts.com\/"},{"key":"24_CR34","unstructured":"Python Packaging Index. https:\/\/pypi.org"},{"key":"24_CR35","unstructured":"PyPI download stats. https:\/\/pypistats.org\/packages\/__all__"},{"key":"24_CR36","unstructured":"RubyGems statistics. https:\/\/rubygems.org\/stats"},{"key":"24_CR37","unstructured":"Supply-chain attack hits RubyGems repository with 725 malicious packages. https:\/\/arstechnica.com\/information-technology\/2020\/04\/725-bitcoin-stealing-apps-snuck-into-ruby-repository\/ (2020)"},{"key":"24_CR38","unstructured":"Sigstore. https:\/\/www.sigstore.dev\/"},{"key":"24_CR39","unstructured":"ACME server Boulder. https:\/\/github.com\/letsencrypt\/boulder"},{"key":"24_CR40","unstructured":"Zimmermann, M., Staicu, C.A., Tenny, C., Pradel, M.: Small world with high risks: A study of security threats in the npm ecosystem. In: 28th USENIX Security Symposium (USENIX Security 19). pp. 995\u20131010 (2019)"}],"container-title":["Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","Security and Privacy in Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-25538-0_24","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,2,3]],"date-time":"2023-02-03T13:12:35Z","timestamp":1675429955000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-25538-0_24"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031255373","9783031255380"],"references-count":40,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-25538-0_24","relation":{},"ISSN":["1867-8211","1867-822X"],"issn-type":[{"type":"print","value":"1867-8211"},{"type":"electronic","value":"1867-822X"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"4 February 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SecureComm","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Security and Privacy in Communication Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17 October 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 October 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"securecomm2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/securecomm.eai-conferences.org\/2022\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Confy+","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"130","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"43","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"33% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"7","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}