{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,5,3]],"date-time":"2025-05-03T16:48:05Z","timestamp":1746290885523},"reference-count":46,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/icse-seip55303.2022.9794068","type":"proceedings-article","created":{"date-parts":[[2022,6,17]],"date-time":"2022-06-17T19:35:14Z","timestamp":1655494514000},"source":"Crossref","is-referenced-by-count":7,"title":["What are Weak Links in the npm Supply Chain?"],"prefix":"10.1109","author":[{"given":"Nusrat","family":"Zahan","sequence":"first","affiliation":[{"name":"North Carolina State University,Raleigh,NC,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Zimmermann","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond,Washington,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Patrice","family":"Godefroid","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond,Washington,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Brendan","family":"Murphy","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond,Washington,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chandra","family":"Maddila","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond,Washington,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Laurie","family":"Williams","sequence":"additional","affiliation":[{"name":"North Carolina State University,Raleigh,NC,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref39","year":"2019","journal-title":"The Adverline Breach and the Emerging Risk ofUsing Third-Party Vendors"},{"key":"ref38","author":"tal","year":"2019","journal-title":"10 npm Security Best Practices"},{"key":"ref33","author":"polasani","year":"2021","journal-title":"Embedded Malware in NPM Coa Rc Ua-parser"},{"key":"ref32","year":"2021","journal-title":"Security Scorecards for Open Source Projects"},{"key":"ref31","year":"2021","journal-title":"Open Source Security Metrics"},{"key":"ref30","year":"2021","journal-title":"CII Best Practices badge program"},{"key":"ref37","author":"tal","year":"2021","journal-title":"Snyk uncovers malicious code activities in open source supply chain security on the npm registry"},{"key":"ref36","year":"2021","journal-title":"2021 state of the software supply chain"},{"key":"ref35","year":"2020","journal-title":"2020 STATE OF THE SOFTWARE SUPPLY CHAIN REPORT"},{"key":"ref34","author":"sharma","year":"2021","journal-title":"Dependency-confusion"},{"key":"ref10","author":"dinu","year":"2021","journal-title":"SolarWinds Attack Cost Impacted Companies an Average of $12 Million"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2013.03.002"},{"key":"ref11","author":"dorfman","year":"2021","journal-title":"Security holding Package"},{"key":"ref12","author":"duan","year":"2020","journal-title":"Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages"},{"key":"ref13","year":"2018","journal-title":"Postmortem for malicious packages published on july 12th 2018"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"ref16","author":"germain","year":"2021","journal-title":"Lessons Learned From the SolarWinds Supply Chain Hack"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00035"},{"key":"ref18","author":"hnknta","year":"2018","journal-title":"Gathering weak npm credentials"},{"key":"ref19","author":"hoffman","year":"2021","journal-title":"SolarWinds Orion Security Breach A Shift In The Software Supply Chain Paradigm"},{"key":"ref28","year":"2021","journal-title":"Specifics of npm's package json handling"},{"key":"ref4","author":"cimpanu","year":"2018","journal-title":"Backdoored Python Library Caught Stealing SSH Credentials"},{"key":"ref27","year":"2021","journal-title":"Deprecated Package"},{"key":"ref3","author":"borins","year":"2022","journal-title":"Top-100 npm package maintainers now require 2FA"},{"key":"ref6","author":"coe","year":"2018","journal-title":"Core contributor to the conventional-changelog ecosystem had their npm credentials compromised"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"ref5","year":"2021","journal-title":"Bash Uploader Security Update"},{"key":"ref8","author":"constantin","year":"2020","journal-title":"Solarwinds attack explained And why it was so hardto detect"},{"key":"ref7","author":"constantin","year":"2018","journal-title":"Npm Attackers Sneak a Backdoor into Node js Deployments through Dependencies"},{"key":"ref2","first-page":"4","article-title":"Don't touch my code! Examining the effects of ownership on software quality","author":"bird","year":"0","journal-title":"Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering"},{"key":"ref9","author":"foy","year":"2021","journal-title":"The Hijacking ofPerl com"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070550"},{"key":"ref46","first-page":"995","article-title":"Small world with high risks: A study of security threats in the npm ecosystem","author":"zimmermann","year":"0","journal-title":"28th USENIX Security Symposium ( USENIX Security 19)"},{"key":"ref20","author":"hunter","year":"2018","journal-title":"Compromised NPM package Event-stream"},{"key":"ref45","author":"zhu","year":"2018","journal-title":"eslint-scope attack"},{"key":"ref22","author":"khandelwal","year":"2018","journal-title":"Ccleaner attack timeline-here's how hack-ers infected 2 3 million pcs"},{"key":"ref21","author":"kaczorowski","year":"2020","journal-title":"Secure at every step What is software supply chain security and why does it matter?"},{"key":"ref42","author":"vaughan-nichols","year":"2020","journal-title":"SolarWinds the World's Biggest Security Failure and Open Source's Better Answer"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653717"},{"key":"ref41","author":"vaidya","year":"2019","journal-title":"Security issues in language-based sofware ecosystems"},{"key":"ref23","author":"mcquade","year":"2018","journal-title":"The untold story of notpetya the most devastating cyberattack in history"},{"key":"ref44","author":"viega","year":"2001","journal-title":"Building Secure Software How to Avoid Security Problems the Right Way Portable Documents"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368160"},{"key":"ref43","author":"velarde","year":"2020","journal-title":"Nexus Intelligence Insights Sonatype-2020-0003 - npm malicious package 1337qq-js"},{"key":"ref25","author":"miller","year":"2020","journal-title":"The State of Open Source Security 2020"}],"event":{"name":"2022 IEEE\/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)","location":"Pittsburgh, PA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,24]]}},"container-title":["2022 IEEE\/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9793838\/9793543\/09794068.pdf?arnumber=9794068","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,11]],"date-time":"2022-07-11T20:04:27Z","timestamp":1657569867000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9794068\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":46,"URL":"https:\/\/doi.org\/10.1109\/icse-seip55303.2022.9794068","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}