{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T16:09:08Z","timestamp":1768320548205,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":39,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,8,18]],"date-time":"2021-08-18T00:00:00Z","timestamp":1629244800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"European H2020 AssureMoss","award":["952647"],"award-info":[{"award-number":["952647"]}]},{"name":"European H2020 SPARTA","award":["830892"],"award-info":[{"award-number":["830892"]}]},{"name":"European H2020 CyberSec4Europe","award":["830929"],"award-info":[{"award-number":["830929"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,8,20]]},"DOI":"10.1145\/3468264.3468592","type":"proceedings-article","created":{"date-parts":[[2021,8,19]],"date-time":"2021-08-19T01:44:18Z","timestamp":1629337458000},"page":"780-792","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":39,"title":["LastPyMile: identifying the discrepancy between sources and packages"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5445-2729","authenticated-orcid":false,"given":"Duc-Ly","family":"Vu","sequence":"first","affiliation":[{"name":"University of Trento, Italy"}]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[{"name":"University of Trento, Italy \/ Vrije Universiteit Amsterdam, Netherlands"}]},{"given":"Ivan","family":"Pashchenko","sequence":"additional","affiliation":[{"name":"University of Trento, Italy"}]},{"given":"Henrik","family":"Plate","sequence":"additional","affiliation":[{"name":"SAP Security Research, France"}]},{"given":"Antonino","family":"Sabetta","sequence":"additional","affiliation":[{"name":"SAP Security Research, France"}]}],"member":"320","published-online":{"date-parts":[[2021,8,18]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Package install scripts vulnerability. https:\/\/blog.npmjs.org\/post\/141702881055\/package-install-scripts-vulnerability Online","year":"2020","unstructured":"2016. Package install scripts vulnerability. https:\/\/blog.npmjs.org\/post\/141702881055\/package-install-scripts-vulnerability Online ; accessed 29 July 2020 . 2016. Package install scripts vulnerability. https:\/\/blog.npmjs.org\/post\/141702881055\/package-install-scripts-vulnerability Online; accessed 29 July 2020."},{"key":"e_1_3_2_1_2_1","volume-title":"Backdoor in ssh-decorator package. https:\/\/www.reddit.com\/r\/Python\/comments\/8hvzja\/backdoor_in_sshdecorator_package\/ Online","year":"2020","unstructured":"2018. Backdoor in ssh-decorator package. https:\/\/www.reddit.com\/r\/Python\/comments\/8hvzja\/backdoor_in_sshdecorator_package\/ Online ; accessed 29 July 2020 . 2018. Backdoor in ssh-decorator package. https:\/\/www.reddit.com\/r\/Python\/comments\/8hvzja\/backdoor_in_sshdecorator_package\/ Online; accessed 29 July 2020."},{"key":"e_1_3_2_1_3_1","volume-title":"Tracking which wheels can be reproducibly built. https:\/\/www.redshiftzero.com\/reproducible-wheels\/ Online","year":"2021","unstructured":"2020. Tracking which wheels can be reproducibly built. https:\/\/www.redshiftzero.com\/reproducible-wheels\/ Online ; accessed 03 January 2021 . 2020. Tracking which wheels can be reproducibly built. https:\/\/www.redshiftzero.com\/reproducible-wheels\/ Online; accessed 03 January 2021."},{"key":"e_1_3_2_1_4_1","unstructured":"William Bengtson. 2020. Python Typosquatting for Fun not Profit. https:\/\/medium.com\/@williambengtson\/python-typosquatting-for-fun-not-profit-99869579c35d Accessed: 2020-08-17.  William Bengtson. 2020. Python Typosquatting for Fun not Profit. https:\/\/medium.com\/@williambengtson\/python-typosquatting-for-fun-not-profit-99869579c35d Accessed: 2020-08-17."},{"key":"e_1_3_2_1_5_1","volume-title":"Detecting Cyber Attacks in the Python Package Index (PyPI). https:\/\/medium.com\/@bertusk\/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67 Online","year":"2020","unstructured":"Bertus. 2018. Detecting Cyber Attacks in the Python Package Index (PyPI). https:\/\/medium.com\/@bertusk\/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67 Online ; accessed 18 January 2020 . Bertus. 2018. Detecting Cyber Attacks in the Python Package Index (PyPI). https:\/\/medium.com\/@bertusk\/detecting-cyber-attacks-in-the-python-package-index-pypi-61ab2b585c67 Online; accessed 18 January 2020."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"crossref","unstructured":"Ethan Bommarito and Michael Bommarito. 2019. An Empirical Analysis of the Python Package Index (PyPI). arXiv preprint arXiv:1907.11073.  Ethan Bommarito and Michael Bommarito. 2019. An Empirical Analysis of the Python Package Index (PyPI). arXiv preprint arXiv:1907.11073.","DOI":"10.2139\/ssrn.3426281"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-30806-7_12"},{"key":"e_1_3_2_1_8_1","unstructured":"Debian. 2019. Reproducible Builds. https:\/\/reproducible-builds.org\/ Accessed: 2020-08-17.  Debian. 2019. Reproducible Builds. https:\/\/reproducible-builds.org\/ Accessed: 2020-08-17."},{"key":"e_1_3_2_1_9_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2020","unstructured":"Ruian Duan , Omar Alrawi , Ranjita Pai Kasturi , Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2020 . Measuring and preventing supply chain attacks on package managers. arXiv preprint arXiv:2002.01139. Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2020. Measuring and preventing supply chain attacks on package managers. arXiv preprint arXiv:2002.01139."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_1_11_1","volume-title":"Investigating The Reproducibility of NPM Packages. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). 677\u2013681","author":"Goswami Pronnoy","year":"2020","unstructured":"Pronnoy Goswami , Saksham Gupta , Zhiyuan Li , Na Meng , and Daphne Yao . 2020 . Investigating The Reproducibility of NPM Packages. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). 677\u2013681 . Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating The Reproducibility of NPM Packages. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). 677\u2013681."},{"key":"e_1_3_2_1_12_1","unstructured":"DANNY GRANDER and LIRAN TAL. 2018. A Post-Mortem of the Malicious event-stream backdoor. https:\/\/snyk.io\/blog\/a-post-mortem-of-the-malicious-event-stream-backdoor\/ Accessed: 2020-06-01.  DANNY GRANDER and LIRAN TAL. 2018. A Post-Mortem of the Malicious event-stream backdoor. https:\/\/snyk.io\/blog\/a-post-mortem-of-the-malicious-event-stream-backdoor\/ Accessed: 2020-06-01."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491055.2491070"},{"key":"e_1_3_2_1_14_1","unstructured":"Trey Herr June Lee William Loomis and Stewart Scott. 2020. Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain. https:\/\/www.atlanticcouncil.org\/in-depth-research-reports\/report\/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain\/ Accessed: 2020-07-30.  Trey Herr June Lee William Loomis and Stewart Scott. 2020. Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain. https:\/\/www.atlanticcouncil.org\/in-depth-research-reports\/report\/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain\/ Accessed: 2020-07-30."},{"key":"e_1_3_2_1_15_1","unstructured":"Daniel Holth. 2012. PEP 427 \u2013 The Wheel Binary Package Format 1.0. https:\/\/www.python.org\/dev\/peps\/pep-0427\/ Accessed: 2020-10-10.  Daniel Holth. 2012. PEP 427 \u2013 The Wheel Binary Package Format 1.0. https:\/\/www.python.org\/dev\/peps\/pep-0427\/ Accessed: 2020-10-10."},{"key":"e_1_3_2_1_16_1","unstructured":"Maya Kaczorowski. 2020. Secure at every step: What is software supply chain security and why does it matter? https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/  Maya Kaczorowski. 2020. Secure at every step: What is software supply chain security and why does it matter? https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/"},{"key":"e_1_3_2_1_17_1","unstructured":"Fiona Macdonald. 2018. How a Programmer Nearly Broke The Internet by Deleting Just 11 Lines of Code. https:\/\/www.sciencealert.com\/how-a-programmer-almost-broke-the-internet-by-deleting-11-lines-of-code  Fiona Macdonald. 2018. How a Programmer Nearly Broke The Internet by Deleting Just 11 Lines of Code. https:\/\/www.sciencealert.com\/how-a-programmer-almost-broke-the-internet-by-deleting-11-lines-of-code"},{"key":"e_1_3_2_1_18_1","volume-title":"Microsoft ApplicationInspector: A source code analyzer. https:\/\/github.com\/microsoft\/ApplicationInspector Online","year":"2020","unstructured":"Microsoft. 2019. Microsoft ApplicationInspector: A source code analyzer. https:\/\/github.com\/microsoft\/ApplicationInspector Online ; accessed 21 February 2020 . Microsoft. 2019. Microsoft ApplicationInspector: A source code analyzer. https:\/\/github.com\/microsoft\/ApplicationInspector Online; accessed 21 February 2020."},{"key":"e_1_3_2_1_19_1","unstructured":"Microsoft. 2020. OSS Gadget: Collection of tools for analyzing open source packages.. https:\/\/github.com\/microsoft\/OSSGadget  Microsoft. 2020. OSS Gadget: Collection of tools for analyzing open source packages.. https:\/\/github.com\/microsoft\/OSSGadget"},{"key":"e_1_3_2_1_20_1","unstructured":"Alvaro Mu\u00f1oz. 2003. The Octopus Scanner Malware: Attacking the open source supply chain. https:\/\/securitylab.github.com\/research\/octopus-scanner-malware-open-source-supply-chain Accessed: 2020-06-01.  Alvaro Mu\u00f1oz. 2003. The Octopus Scanner Malware: Attacking the open source supply chain. https:\/\/securitylab.github.com\/research\/octopus-scanner-malware-open-source-supply-chain Accessed: 2020-06-01."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Marc Ohm Henrik Plate Arnold Sykosch and Michael Meier. 2020. Backstabber\u2019s Knife Collection: A Review of Open Source Software Supply Chain Attacks. arXiv preprint arXiv:2005.09535.  Marc Ohm Henrik Plate Arnold Sykosch and Michael Meier. 2020. Backstabber\u2019s Knife Collection: A Review of Open Source Software Supply Chain Attacks. arXiv preprint arXiv:2005.09535.","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3409183"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3120928"},{"key":"e_1_3_2_1_25_1","unstructured":"PyCQA. [n.d.]. Security oriented static analyser for python code.. https:\/\/pypi.org\/project\/bandit\/  PyCQA. [n.d.]. Security oriented static analyser for python code.. https:\/\/pypi.org\/project\/bandit\/"},{"key":"e_1_3_2_1_26_1","unstructured":"SAP. [n.d.]. Ratings for open-source projects. https:\/\/github.com\/SAP\/fosstars-rating-core  SAP. [n.d.]. Ratings for open-source projects. https:\/\/github.com\/SAP\/fosstars-rating-core"},{"key":"e_1_3_2_1_27_1","unstructured":"Sonatype. 2019. 2019 State of the Software Supply Chain Report Reveals Best Practices From 36 000 Open Source Software Development Teams. https:\/\/www.sonatype.com\/press-release-blog\/2019-state-of-the-software-supply-chain-report-reveals-best-practices-from-36000-open-source-software-development-teams  Sonatype. 2019. 2019 State of the Software Supply Chain Report Reveals Best Practices From 36 000 Open Source Software Development Teams. https:\/\/www.sonatype.com\/press-release-blog\/2019-state-of-the-software-supply-chain-report-reveals-best-practices-from-36000-open-source-software-development-teams"},{"key":"e_1_3_2_1_28_1","unstructured":"Steve Stagg. 2017. Building a botnet on PyPi. https:\/\/hackernoon.com\/building-a-botnet-on-pypi-be1ad280b8d6 Accessed: 2020-2-11.  Steve Stagg. 2017. Building a botnet on PyPi. https:\/\/hackernoon.com\/building-a-botnet-on-pypi-be1ad280b8d6 Accessed: 2020-2-11."},{"key":"e_1_3_2_1_29_1","unstructured":"Synopsys. 2020. Synopsys 2020 Open Source Security and Risk Analysis Report. https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/reports\/2020-ossra-report.pdf  Synopsys. 2020. Synopsys 2020 Open Source Security and Risk Analysis Report. https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/reports\/2020-ossra-report.pdf"},{"key":"e_1_3_2_1_30_1","unstructured":"LIRAN TAL. 2019. Why npm lockfiles can be a security blindspot for injecting malicious modules. https:\/\/snyk.io\/blog\/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules\/ Accessed: 2020-06-01.  LIRAN TAL. 2019. Why npm lockfiles can be a security blindspot for injecting malicious modules. https:\/\/snyk.io\/blog\/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules\/ Accessed: 2020-06-01."},{"key":"e_1_3_2_1_31_1","volume-title":"Lorenzo De Carli, and Vaibhav Rastogi","author":"Taylor Matthew","year":"2020","unstructured":"Matthew Taylor , Ruturaj K. Vaidya , Drew Davidson , Lorenzo De Carli, and Vaibhav Rastogi . 2020 . SpellBound: Defending Against Package Typosquatting . arXiv preprint. Matthew Taylor, Ruturaj K. Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. SpellBound: Defending Against Package Typosquatting. arXiv preprint."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.4486832"},{"key":"e_1_3_2_1_34_1","unstructured":"Laurie Voss. 2018. npm and the future of JavaScript. https:\/\/slides.com\/seldo\/npm-future-of-javascript  Laurie Voss. 2018. npm and the future of JavaScript. https:\/\/slides.com\/seldo\/npm-future-of-javascript"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3420015"},{"key":"e_1_3_2_1_36_1","volume-title":"Typosquatting and Combosquatting Attacks on the Python Ecosystem. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).","author":"Vu Duc-Ly","year":"2020","unstructured":"Duc-Ly Vu , Ivan Pashchenko , Fabio Massacci , Henrik Plate , and Antonino Sabetta . 2020 . Typosquatting and Combosquatting Attacks on the Python Ecosystem. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Typosquatting and Combosquatting Attacks on the Python Ecosystem. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)."},{"key":"e_1_3_2_1_37_1","unstructured":"Warehouse. 2020. Malware Checks. https:\/\/warehouse.readthedocs.io\/development\/malware-checks\/##malware-checks  Warehouse. 2020. Malware Checks. https:\/\/warehouse.readthedocs.io\/development\/malware-checks\/##malware-checks"},{"key":"e_1_3_2_1_38_1","unstructured":"Chris Williams. 2016. How one developer just broke Node Babel and thousands of projects in 11 lines of JavaScript. https:\/\/www.theregister.com\/2016\/03\/23\/npm_left_pad_chaos  Chris Williams. 2016. How one developer just broke Node Babel and thousands of projects in 11 lines of JavaScript. https:\/\/www.theregister.com\/2016\/03\/23\/npm_left_pad_chaos"},{"key":"e_1_3_2_1_39_1","unstructured":"Jordan Wright. 2020. Hunting for Malicious Packages on PyPI. https:\/\/jordan-wright.com\/blog\/post\/2020-11-12-hunting-for-malicious-packages-on-pypi\/  Jordan Wright. 2020. Hunting for Malicious Packages on PyPI. https:\/\/jordan-wright.com\/blog\/post\/2020-11-12-hunting-for-malicious-packages-on-pypi\/"},{"key":"e_1_3_2_1_40_1","volume-title":"28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010.","author":"Zimmermann Markus","unstructured":"Markus Zimmermann , Cristian-Alexandru Staicu , Cam Tenny , and Michael Pradel . 2019. Small world with high risks: A study of security threats in the npm ecosystem . In 28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010. Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010."}],"event":{"name":"ESEC\/FSE '21: 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"Athens Greece","acronym":"ESEC\/FSE '21","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468264.3468592","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3468264.3468592","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:51Z","timestamp":1750195491000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468264.3468592"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,18]]},"references-count":39,"alternative-id":["10.1145\/3468264.3468592","10.1145\/3468264"],"URL":"https:\/\/doi.org\/10.1145\/3468264.3468592","relation":{},"subject":[],"published":{"date-parts":[[2021,8,18]]},"assertion":[{"value":"2021-08-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}