{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T09:58:48Z","timestamp":1775815128621,"version":"3.50.1"},"reference-count":114,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179332","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"1578-1595","source":"Crossref","is-referenced-by-count":17,"title":["Investigating Package Related Security Threats in Software Registries"],"prefix":"10.1109","author":[{"given":"Yacong","family":"Gu","sequence":"first","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Lingyun","family":"Ying","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Yingyuan","family":"Pu","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Xiao","family":"Hu","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Huajun","family":"Chai","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Ruimin","family":"Wang","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute"}]},{"given":"Xing","family":"Gao","sequence":"additional","affiliation":[{"name":"University of Delaware"}]},{"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Maven Central Repository Search"},{"key":"ref2","article-title":"npm"},{"key":"ref3","article-title":"PyPI \u2022 The Python Package Index"},{"key":"ref4","article-title":"NuGet Gallery"},{"key":"ref5","article-title":"Sonatype\u2019s 2021 State of the Software Supply Chain"},{"key":"ref6","article-title":"Popular npm Library Hijacked to Install Password-stealers, Miners"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"ref9","article-title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","author":"Zimmermann","year":"2019","journal-title":"USENIX Security"},{"key":"ref10","article-title":"Changing Your GitHub Username"},{"key":"ref11","article-title":"Transferring a Repository"},{"key":"ref12","article-title":"crates.io: Rust Package Registry"},{"key":"ref13","article-title":"Go Packages"},{"key":"ref14","article-title":"Aliyun npm Mirror"},{"key":"ref15","article-title":"Nexus Repository - Software Component Management"},{"key":"ref16","article-title":"JFrog Artifactory - Universal Artifact Repository Manager"},{"key":"ref17","article-title":"NuGet Package Version Reference"},{"key":"ref18","article-title":"Malicious NPM Libraries Caught Installing Password Stealer and Ransomware"},{"key":"ref19","article-title":"Cryptocurrency Clipboard Hijacker Discovered in PyPI Repository"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196514"},{"key":"ref21","article-title":"Potential Email Compromise via Dangling DNS MX","author":"Reed","year":"2020"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"ref23","article-title":"Cracking Wall of Confinement: Understanding and Analyzing Malicious Domain Takedowns","author":"Alowaisheq","year":"2019","journal-title":"NDSS"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978387"},{"key":"ref25","article-title":"Millions of Phone Numbers Are Being Reused Every Year"},{"key":"ref26","article-title":"Recycled Bank Accounts Can Mean Sending Money to the Wrong Person"},{"key":"ref27","article-title":"Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies"},{"key":"ref28","article-title":"This week in malware\u2014400+ npm packages target Azure, Uber, Airbnb developers"},{"key":"ref29","article-title":"Remote code execution on rubygems.org"},{"key":"ref30","article-title":"Remote code execution on packagist.org"},{"key":"ref31","article-title":"How to take over the computer of any Java (or Clojure or Scala) developer"},{"key":"ref32","article-title":"The CouchDB API"},{"key":"ref33","article-title":"NXDOMAIN: There Really Is Nothing Underneath"},{"key":"ref34","article-title":"Whois - Client for the WHOIS Directory Service"},{"key":"ref35","article-title":"Large-scale npm Attack Targets Azure Developers with Malicious Packages"},{"key":"ref36","article-title":"Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community"},{"key":"ref37","article-title":"Malicious PyPI Packages with over 10,000 Downloads Taken Down"},{"key":"ref38","article-title":"Gradle Build Tool"},{"key":"ref40","volume-title":"The Long \u2019Taile\u2019 of Typosquatting Domain Names","author":"Szurdi","year":"2014"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23058"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-13257-0_17"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278569"},{"key":"ref44","article-title":"Package phishing"},{"key":"ref45","article-title":"node-ipc npm Package Sabotage to Protest Ukraine Invasion"},{"key":"ref46","article-title":"Meet the Developers Behind Sonatype\u2019s Automated Malware Detection System Securing Open Source Supply Chains"},{"key":"ref47","article-title":"New npm scanning tool sniffs out malicious code"},{"key":"ref48","article-title":"Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies","author":"Birsan","year":"2021"},{"key":"ref49","article-title":"[Distutils] Closing the Delete File + Re-upload File Loophole","author":"Stufft","year":"2015"},{"key":"ref50","article-title":"Npm-Unpublish | Npm Docs"},{"key":"ref51","article-title":"TIOBE Index"},{"key":"ref52","article-title":"PYPL PopularitY of Programming Language"},{"key":"ref53","article-title":"Aliyun Maven Repository Central"},{"key":"ref54","article-title":"Huawei Cloud Maven Public"},{"key":"ref55","article-title":"NJU Maven Repository Central"},{"key":"ref56","article-title":"Aliyun Python Package Index"},{"key":"ref57","article-title":"Douban Python Package Index"},{"key":"ref58","article-title":"NJU Python Package Index"},{"key":"ref59","article-title":"Tsinghua Python Package Index"},{"key":"ref60","article-title":"Huawei npm Mirror"},{"key":"ref61","article-title":"Tencent npm Mirror"},{"key":"ref62","article-title":"NJU npm Mirror"},{"key":"ref63","article-title":"Tsinghua Cargo Mirror"},{"key":"ref64","article-title":"SJTU Cargo Mirror"},{"key":"ref65","article-title":"USTC Cargo Mirror"},{"key":"ref66","article-title":"Huawei NuGet Mirror"},{"key":"ref67","article-title":"Microsoft Azure NuGet Mirror for China"},{"key":"ref68","article-title":"Qiniu Cloud - Goproxy.cn"},{"key":"ref69","article-title":"How Great is the Great Firewall? Measuring China\u2019s DNS Censorship","author":"Hoang","year":"2021","journal-title":"USENIX Security"},{"key":"ref70","article-title":"Sonatype JIRA"},{"key":"ref71","article-title":"OSSRH Guide - The Central Repository Documentation"},{"key":"ref72","article-title":"Users API | GitHub"},{"key":"ref73","article-title":"Users API | GitLab"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131399"},{"key":"ref75","article-title":"Exploring the Unchartered Space of Container Registry Typosquatting","author":"Liu","year":"2022","journal-title":"USENIX Security"},{"key":"ref76","article-title":"Deleting Your User Account"},{"key":"ref77","article-title":"PyPI\u2019s XML-RPC methods"},{"key":"ref78","article-title":"New Package Moniker Rules"},{"key":"ref79","article-title":"Binary Codes Capable of Correcting Deletions, Insertions, and Reversals","author":"Levenshtein","year":"1966","journal-title":"Soviet Physics Doklady"},{"key":"ref80","article-title":"Scoped Packages"},{"key":"ref81","article-title":"Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community"},{"key":"ref82","article-title":"JetBrains 2021 Dev Ecosystem Survey"},{"key":"ref83","article-title":"JCenter Repository"},{"key":"ref84","article-title":"JitPack - Publish JVM and Android libraries"},{"key":"ref85","article-title":"MITRE CVE List"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"ref87","article-title":"Typosquatting in Programming Language Package Managers","volume-title":"Ph.D. dissertation","author":"Tschacher","year":"2016"},{"key":"ref88","article-title":"Understanding the Impact of Apache Log4j Vulnerability","author":"Wetter"},{"key":"ref89","article-title":"[CVE-2019-15224] Version 1.6.13 published with malicious backdoor. \u2022 Issue #713 \u2022 rest-client\/rest-client"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313481"},{"key":"ref91","article-title":"Postmortem for Malicious Packages Published on July 12th, 2018"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-21544-5_5"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1109\/CSMR.2013.33"},{"key":"ref94","doi-asserted-by":"crossref","DOI":"10.1145\/3196398.3196401","article-title":"On the Impact of Security Vulnerabilities in the npm Package Dependency Network","author":"Decan","year":"2018","journal-title":"MSR"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2016.02.003"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"ref97","article-title":"A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning","author":"Davis","year":"2018","journal-title":"USENIX Security"},{"key":"ref98","article-title":"Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers","author":"Staicu","year":"2018","journal-title":"USENIX Security"},{"key":"ref99","volume-title":"Dependencies We Trust: How Vulnerable Are Dependencies in Software Modules?","author":"Hejderup","year":"2015"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"ref101","article-title":"Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web","author":"Squarcina","year":"2021","journal-title":"USENIX Security"},{"key":"ref102","article-title":"Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers","author":"Lauinger","year":"2017","journal-title":"USENIX Security"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417252"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00033"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/eCrime54498.2021.9738792"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445085"},{"key":"ref107","volume-title":"A Survey Study of Password Setting and Reuse.","author":"Li","year":"2020"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23357"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23350"},{"key":"ref110","volume-title":"How Users Choose and Reuse Passwords","author":"Hanamsagar","year":"2016"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.16"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488474"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134002"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14577-3_15"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00074"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179332.pdf?arnumber=10179332","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:16:06Z","timestamp":1721452566000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179332\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":114,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179332","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}