{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T15:57:38Z","timestamp":1776441458554,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,5,30]],"date-time":"2022-05-30T00:00:00Z","timestamp":1653868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,5,30]]},"DOI":"10.1145\/3488932.3523262","type":"proceedings-article","created":{"date-parts":[[2022,5,24]],"date-time":"2022-05-24T04:23:26Z","timestamp":1653366206000},"page":"1139-1153","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["Wolf at the Door"],"prefix":"10.1145","author":[{"given":"Elizabeth","family":"Wyss","sequence":"first","affiliation":[{"name":"University of Kansas, Lawrence, KS, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alexander","family":"Wittman","sequence":"additional","affiliation":[{"name":"University of Kansas, Lawrence, KS, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Drew","family":"Davidson","sequence":"additional","affiliation":[{"name":"University of Kansas, Lawrence, KS, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lorenzo","family":"De Carli","sequence":"additional","affiliation":[{"name":"Worcester Polytechnic Institute, Worcester, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,5,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2020. SELinux Project. https:\/\/github.com\/SELinuxProject  2020. SELinux Project. https:\/\/github.com\/SELinuxProject"},{"key":"e_1_3_2_2_2_1","unstructured":"2021. AppArmor. https:\/\/gitlab.com\/apparmor\/apparmor  2021. AppArmor. https:\/\/gitlab.com\/apparmor\/apparmor"},{"key":"e_1_3_2_2_3_1","unstructured":"2021. Creating Attestations with Kritis Signer | Binary Authorization. https:\/\/cloud.google.com\/binary-authorization\/docs\/creating-attestations-kritis.  2021. Creating Attestations with Kritis Signer | Binary Authorization. https:\/\/cloud.google.com\/binary-authorization\/docs\/creating-attestations-kritis."},{"key":"e_1_3_2_2_4_1","unstructured":"2021. Executive Order on Improving the Nation's Cyberse-curity. https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/.  2021. Executive Order on Improving the Nation's Cyberse-curity. https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/."},{"key":"e_1_3_2_2_5_1","unstructured":"2021. Grafeas\/Grafeas. https:\/\/github.com\/grafeas\/grafeas.  2021. Grafeas\/Grafeas. https:\/\/github.com\/grafeas\/grafeas."},{"key":"e_1_3_2_2_6_1","unstructured":"2021. Grafeas\/Kritis. https:\/\/github.com\/grafeas\/kritis.  2021. Grafeas\/Kritis. https:\/\/github.com\/grafeas\/kritis."},{"key":"e_1_3_2_2_7_1","unstructured":"2021. NodeSource. https:\/\/docs.nodesource.com\/ncmv2\/docs#overview  2021. NodeSource. https:\/\/docs.nodesource.com\/ncmv2\/docs#overview"},{"key":"e_1_3_2_2_8_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Node Mining","unstructured":"2022. Mining Node . js Vulnerabilities via Object Dependence Graph and Query . In 31st USENIX Security Symposium (USENIX Security 22) . USENIX Association, Boston, MA. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/li-song 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/li-song"},{"key":"e_1_3_2_2_9_1","unstructured":"2022. Open Science Framework. https:\/\/osf.io  2022. Open Science Framework. https:\/\/osf.io"},{"key":"e_1_3_2_2_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"e_1_3_2_2_12_1","volume-title":"van Oorschot","author":"Barrera David","year":"2012","unstructured":"David Barrera , Jeremy Clark , Daniel McCarney , and Paul C . van Oorschot . 2012 . Understanding and Improving App Installation Security Mechanisms through Empirical Analysis of Android (SPSM '12). Association for Computing Machinery . David Barrera, Jeremy Clark, Daniel McCarney, and Paul C. van Oorschot. 2012. Understanding and Improving App Installation Security Mechanisms through Empirical Analysis of Android (SPSM '12). Association for Computing Machinery."},{"key":"e_1_3_2_2_13_1","unstructured":"K Bertus. 2018. Cryptocurrency clipboard hijacker discovered in pypi repository. https:\/\/medium.com\/@bertusk\/  K Bertus. 2018. Cryptocurrency clipboard hijacker discovered in pypi repository. https:\/\/medium.com\/@bertusk\/"},{"key":"e_1_3_2_2_14_1","volume-title":"Classification and regression trees","author":"Breiman Leo","unstructured":"Leo Breiman , Jerome Friedman , Charles J Stone , and Richard A Olshen . 1984. Classification and regression trees . CRC press . Leo Breiman, Jerome Friedman, Charles J Stone, and Richard A Olshen. 1984. Classification and regression trees. CRC press."},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"crossref","unstructured":"Mircea Cadariu Eric Bouwers Joost Visser and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In SANER.  Mircea Cadariu Eric Bouwers Joost Visser and Arie van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In SANER.","DOI":"10.1109\/SANER.2015.7081868"},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_2_17_1","volume-title":"Building Resilient Medical Technology Supply Chains with a Software Bill of Materials. npj Digital Medicine","author":"Carmody Seth","year":"2021","unstructured":"Seth Carmody , Andrea Coravos , Ginny Fahs , Audra Hatch , Janine Medina , Beau Woods , and Joshua Corman . 2021. Building Resilient Medical Technology Supply Chains with a Software Bill of Materials. npj Digital Medicine , Vol. 4 , 1 ( Feb. 2021 ), 1--6. Seth Carmody, Andrea Coravos, Ginny Fahs, Audra Hatch, Janine Medina, Beau Woods, and Joshua Corman. 2021. Building Resilient Medical Technology Supply Chains with a Software Bill of Materials. npj Digital Medicine, Vol. 4, 1 (Feb. 2021), 1--6."},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196465"},{"key":"e_1_3_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2187836.2187879"},{"key":"e_1_3_2_2_20_1","unstructured":"Catalin Cimpanu. 2020. Microsoft spots malicious npm package stealing data from UNIX systems. https:\/\/www.zdnet.com\/article\/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems\/  Catalin Cimpanu. 2020. Microsoft spots malicious npm package stealing data from UNIX systems. https:\/\/www.zdnet.com\/article\/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems\/"},{"key":"e_1_3_2_2_21_1","unstructured":"Lucian Constantin. 2020. SolarWinds Attack Explained: And Why It Was so Hard to Detect | CSO Online. https:\/\/www.csoonline.com\/article\/3601508\/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html.  Lucian Constantin. 2020. SolarWinds Attack Explained: And Why It Was so Hard to Detect | CSO Online. https:\/\/www.csoonline.com\/article\/3601508\/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236027"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236454.3236502"},{"key":"e_1_3_2_2_27_1","unstructured":"OSSF Securing Critical Projects Working Group. 2022. Package Analysis. https:\/\/github.com\/ossf\/package-analysis  OSSF Securing Critical Projects Working Group. 2022. Package Analysis. https:\/\/github.com\/ossf\/package-analysis"},{"key":"e_1_3_2_2_28_1","unstructured":"Joseph Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology.  Joseph Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology."},{"key":"e_1_3_2_2_29_1","unstructured":"Vanessa Henderson. 2017. Open-Source Packages With Malicious Content. https:\/\/www.veracode.com\/blog\/research\/open-source-packages-malicious-intent  Vanessa Henderson. 2017. Open-Source Packages With Malicious Content. https:\/\/www.veracode.com\/blog\/research\/open-source-packages-malicious-intent"},{"key":"e_1_3_2_2_30_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID","author":"Koishybayev Igibek","year":"2020","unstructured":"Igibek Koishybayev and Alexandros Kapravelos . 2020 . Mininode: Reducing the Attack Surface of Node.js Applications . In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 121--134. Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 121--134."},{"key":"e_1_3_2_2_31_1","unstructured":"J Koljonen. 2019. Warning! is rest-client 1.6.13 hijacked? https:\/\/github.com\/rest-client\/rest-client\/issues\/713  J Koljonen. 2019. Warning! is rest-client 1.6.13 hijacked? https:\/\/github.com\/rest-client\/rest-client\/issues\/713"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"crossref","unstructured":"R. G. Kula C. D. Roover D. German T. Ishio and K. Inoue. 2014. Visualizing the Evolution of Systems and Their Library Dependencies. In IEEE VISSOFT.  R. G. Kula C. D. Roover D. German T. Ishio and K. Inoue. 2014. Visualizing the Evolution of Systems and Their Library Dependencies. In IEEE VISSOFT.","DOI":"10.1109\/VISSOFT.2014.29"},{"key":"e_1_3_2_2_33_1","volume-title":"Diplomat: Using delegations to protect community repositories. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 567--581.","author":"Kuppusamy Trishank Karthik","year":"2016","unstructured":"Trishank Karthik Kuppusamy , Santiago Torres-Arias , Vladimir Diaz , and Justin Cappos . 2016 . Diplomat: Using delegations to protect community repositories. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 567--581. Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using delegations to protect community repositories. In 13th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 16). 567--581."},{"key":"e_1_3_2_2_34_1","volume-title":"Association for Computing Machinery","author":"Li Song","unstructured":"Song Li , Mingqing Kang , Jianwei Hou , and Yinzhi Cao . 2021. Detecting Node . Js Prototype Pollution Vulnerabilities via Object Lookup Analysis . Association for Computing Machinery , New York, NY, USA , 268--279. https:\/\/doi.org\/10.1145\/3468264.3468542 10.1145\/3468264.3468542 Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2021. Detecting Node.Js Prototype Pollution Vulnerabilities via Object Lookup Analysis. Association for Computing Machinery, New York, NY, USA, 268--279. https:\/\/doi.org\/10.1145\/3468264.3468542"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2021.839"},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_3_2_2_37_1","unstructured":"npmjs.com. [n.d.] a. audit (accessed 02\/2021). https:\/\/docs.npmjs.com\/cli\/v7\/commands\/npm-audit.  npmjs.com. [n.d.] a. audit (accessed 02\/2021). https:\/\/docs.npmjs.com\/cli\/v7\/commands\/npm-audit."},{"key":"e_1_3_2_2_38_1","unstructured":"npmjs.com. [n.d.] b. npm. https:\/\/www.npmjs.com\/  npmjs.com. [n.d.] b. npm. https:\/\/www.npmjs.com\/"},{"key":"e_1_3_2_2_39_1","unstructured":"npmjs.com. [n.d.] c. npm Open-Source Terms. https:\/\/www.npmjs.com\/policies\/open-source-terms  npmjs.com. [n.d.] c. npm Open-Source Terms. https:\/\/www.npmjs.com\/policies\/open-source-terms"},{"key":"e_1_3_2_2_40_1","unstructured":"npmjs.com. [n.d.] d. scripts (accessed 02\/2021). https:\/\/docs.npmjs.com\/cli\/v6\/using-npm\/scripts.  npmjs.com. [n.d.] d. scripts (accessed 02\/2021). https:\/\/docs.npmjs.com\/cli\/v6\/using-npm\/scripts."},{"key":"e_1_3_2_2_41_1","unstructured":"npmjs.org. [n.d.] a. numeric precision matters: how npm download counts work (accessed 02\/2021). https:\/\/blog.npmjs.org\/post\/92574016600\/numeric-precision-matters-how-npm-download-counts-work.  npmjs.org. [n.d.] a. numeric precision matters: how npm download counts work (accessed 02\/2021). https:\/\/blog.npmjs.org\/post\/92574016600\/numeric-precision-matters-how-npm-download-counts-work."},{"key":"e_1_3_2_2_42_1","unstructured":"npmjs.org. [n.d.] b. Package install scripts vulnerability (accessed 02\/2021). https:\/\/blog.npmjs.org\/post\/141702881055\/package-install-scripts-vulnerability.  npmjs.org. [n.d.] b. Package install scripts vulnerability (accessed 02\/2021). https:\/\/blog.npmjs.org\/post\/141702881055\/package-install-scripts-vulnerability."},{"key":"e_1_3_2_2_43_1","unstructured":"Chris O'Donnell. 2018. The `event-Stream` Vulnerability. https:\/\/medium.com\/@codfish\/the-event-stream-vulnerability-6acd4c515aae.  Chris O'Donnell. 2018. The `event-Stream` Vulnerability. https:\/\/medium.com\/@codfish\/the-event-stream-vulnerability-6acd4c515aae."},{"key":"e_1_3_2_2_44_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"Ohm Marc","unstructured":"Marc Ohm , Henrik Plate , Arnold Sykosch , and Michael Meier . 2020 a. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks . In Detection of Intrusions and Malware, and Vulnerability Assessment . Springer International Publishing , Cham , 23--43. Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020 a. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer International Publishing, Cham, 23--43."},{"key":"e_1_3_2_2_45_1","volume-title":"2020 b. Towards Detection of Software Supply Chain Attacks by Forensic Artifacts (ARES '20)","author":"Ohm Marc","unstructured":"Marc Ohm , Arnold Sykosch , and Michael Meier . 2020 b. Towards Detection of Software Supply Chain Attacks by Forensic Artifacts (ARES '20) . Association for Computing Machinery , New York, NY, USA , Article 65, 6 pages. Marc Ohm, Arnold Sykosch, and Michael Meier. 2020 b. Towards Detection of Software Supply Chain Attacks by Forensic Artifacts (ARES '20). Association for Computing Machinery, New York, NY, USA, Article 65, 6 pages."},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"crossref","unstructured":"Brian Pfretzschner and Lotfi ben Othmane. 2017. Identification of Dependency-based Attacks on Node.Js. In ARES.  Brian Pfretzschner and Lotfi ben Othmane. 2017. Identification of Dependency-based Attacks on Node.Js. In ARES.","DOI":"10.1145\/3098954.3120928"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"crossref","unstructured":"H. Plate S. E. Ponta and A. Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In ICSME.  H. Plate S. E. Ponta and A. Sabetta. 2015. Impact assessment for vulnerabilities in open-source software libraries. In ICSME.","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_2_49_1","unstructured":"Ax Sharma. 2020 a. NPM Nukes NodeJS Malware Opening Windows Linux Reverse Shells. https:\/\/www.bleepingcomputer.com\/news\/security\/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells\/  Ax Sharma. 2020 a. NPM Nukes NodeJS Malware Opening Windows Linux Reverse Shells. https:\/\/www.bleepingcomputer.com\/news\/security\/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells\/"},{"key":"e_1_3_2_2_50_1","unstructured":"Ax Sharma. 2020 b. Trick or Treat: That `twilio-Npm` Package Is Brandjacking Malware in Disguise! https:\/\/blog.sonatype.com\/twilio-npm-is-brandjacking-malware-in-disguise  Ax Sharma. 2020 b. Trick or Treat: That `twilio-Npm` Package Is Brandjacking Malware in Disguise! https:\/\/blog.sonatype.com\/twilio-npm-is-brandjacking-malware-in-disguise"},{"key":"e_1_3_2_2_51_1","unstructured":"Ax Sharma. 2021. Copycats imitate novel supply chain attack that hit tech giants. https:\/\/www.bleepingcomputer.com\/news\/security\/copycats-imitate-novel-supply-chain-attack-that-hit-tech-giants\/  Ax Sharma. 2021. Copycats imitate novel supply chain attack that hit tech giants. https:\/\/www.bleepingcomputer.com\/news\/security\/copycats-imitate-novel-supply-chain-attack-that-hit-tech-giants\/"},{"key":"e_1_3_2_2_52_1","unstructured":"Sindre Sorhus. 2020. Install npm packages globally without sudo on macOS and Linux. https:\/\/github.com\/sindresorhus\/guides\/blob\/main\/npm-global-without-sudo.md  Sindre Sorhus. 2020. Install npm packages globally without sudo on macOS and Linux. https:\/\/github.com\/sindresorhus\/guides\/blob\/main\/npm-global-without-sudo.md"},{"key":"e_1_3_2_2_53_1","volume-title":"Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel . 2018 . Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 27th USENIX Security Symposium (USENIX Security 18) . USENIX Association, Baltimore, MD, 361--376. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/staicu Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 361--376. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/staicu"},{"key":"e_1_3_2_2_54_1","volume-title":"SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu , Michael Pradel , and Benjamin Livshits . 2018 . SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS. Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In NDSS."},{"key":"e_1_3_2_2_55_1","unstructured":"Sylabs. 2020. Home | Sylabs. Io. https:\/\/sylabs.io\/  Sylabs. 2020. Home | Sylabs. Io. https:\/\/sylabs.io\/"},{"key":"e_1_3_2_2_56_1","volume-title":"Defending Against Package Typosquatting. In International Conference on Network and System Security. Springer, 112--131","author":"Taylor Matthew","year":"2020","unstructured":"Matthew Taylor , Ruturaj Vaidya , Drew Davidson , Lorenzo De Carli , and Vaibhav Rastogi . 2020 . Defending Against Package Typosquatting. In International Conference on Network and System Security. Springer, 112--131 . Matthew Taylor, Ruturaj Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi. 2020. Defending Against Package Typosquatting. In International Conference on Network and System Security. Springer, 112--131."},{"key":"e_1_3_2_2_57_1","volume-title":"Dependencies: No Software is an Island. Master's thesis","author":"Tellnes J\u00f8rgen","year":"2013","unstructured":"J\u00f8rgen Tellnes . 2013 . Dependencies: No Software is an Island. Master's thesis . The University of Bergen . J\u00f8rgen Tellnes. 2013. Dependencies: No Software is an Island. Master's thesis. The University of Bergen."},{"key":"e_1_3_2_2_58_1","volume-title":"Drew Davidson, and Vaibhav Rastogi.","author":"Vaidya Ruturaj K.","year":"2019","unstructured":"Ruturaj K. Vaidya , Lorenzo De Carli , Drew Davidson, and Vaibhav Rastogi. 2019 . Security Issues in Language-based Sofware Ecosystems. CoRR , Vol. abs\/ 1903 .02613 (2019). arxiv: 1903.02613 http:\/\/arxiv.org\/abs\/1903.02613 Ruturaj K. Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2019. Security Issues in Language-based Sofware Ecosystems. CoRR, Vol. abs\/1903.02613 (2019). arxiv: 1903.02613 http:\/\/arxiv.org\/abs\/1903.02613"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484535"},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/AsiaJCIS.2012.18"},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"crossref","unstructured":"A. A. Younis Y. K. Malaiya and I. Ray. 2014. Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability. In HASE.  A. A. Younis Y. K. Malaiya and I. Ray. 2014. Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability. In HASE.","DOI":"10.1109\/HASE.2014.10"},{"key":"e_1_3_2_2_62_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010.","author":"Zimmermann Markus","unstructured":"Markus Zimmermann , Cristian-Alexandru Staicu , Cam Tenny , and Michael Pradel . 2019. Small world with high risks: A study of security threats in the npm ecosystem . In 28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010. Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 995--1010."}],"event":{"name":"ASIA CCS '22: ACM Asia Conference on Computer and Communications Security","location":"Nagasaki Japan","acronym":"ASIA CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3488932.3523262","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3488932.3523262","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:31:27Z","timestamp":1750188687000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3488932.3523262"}},"subtitle":["Preventing Install-Time Attacks in npm with Latch"],"short-title":[],"issued":{"date-parts":[[2022,5,30]]},"references-count":61,"alternative-id":["10.1145\/3488932.3523262","10.1145\/3488932"],"URL":"https:\/\/doi.org\/10.1145\/3488932.3523262","relation":{},"subject":[],"published":{"date-parts":[[2022,5,30]]},"assertion":[{"value":"2022-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}