{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T09:59:19Z","timestamp":1775815159984,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":24,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,8,23]],"date-time":"2022-08-23T00:00:00Z","timestamp":1661212800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100010669","name":"H2020 LEIT Information and Communication Technologies","doi-asserted-by":"publisher","award":["952647"],"award-info":[{"award-number":["952647"]}],"id":[{"id":"10.13039\/100010669","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,8,23]]},"DOI":"10.1145\/3538969.3543815","type":"proceedings-article","created":{"date-parts":[[2022,8,17]],"date-time":"2022-08-17T23:41:40Z","timestamp":1660779700000},"page":"1-8","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":25,"title":["On the feasibility of detecting injections in malicious npm packages"],"prefix":"10.1145","author":[{"given":"Simone","family":"Scalco","sequence":"first","affiliation":[{"name":"Department of Information Engineering and Computer Science, University of Trento, Italy"}]},{"given":"Ranindya","family":"Paramitha","sequence":"additional","affiliation":[{"name":"Department of Information Engineering and Computer Science, University of Trento, Italy"}]},{"given":"Duc-Ly","family":"Vu","sequence":"additional","affiliation":[{"name":"FPT University, Vietnam"}]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[{"name":"Department of Information Engineering and Computer Science, University of Trento, Italy and Foundational Security, Vrije Universiteit Amsterdam, Netherlands"}]}],"member":"320","published-online":{"date-parts":[[2022,8,23]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2019. Most popular npm packages. https:\/\/gist.github.com\/anvaka\/8e8fa57c7ee1350e3491. Accessed: 2022-03-10."},{"key":"e_1_3_2_1_2_1","unstructured":"2021. GitHut 2.0: A small place to discover languages in Github. https:\/\/madnight.github.io\/githut\/#\/pull_requests\/2021\/4. Accessed: 2022-03-20."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Git log. https:\/\/git-scm.com\/docs\/git-log\/. Accessed: 2022-03-10."},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. NPM-Audit. https:\/\/docs.npmjs.com\/cli\/v8\/commands\/npm-audit\/. Accessed: 2022-03-10."},{"key":"e_1_3_2_1_5_1","unstructured":"Catalin Cimpanu. 2018. Compromised JavaScript Package Caught Stealing npm Credentials. https:\/\/www.bleepingcomputer.com\/news\/security\/compromised-javascript-package-caught-stealing-npm-credentials\/. (2018)."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","unstructured":"Ruian Duan Omar Alrawi Ranjita\u00a0Pai Kasturi Ryan Elder Brendan Saltaformaggio and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. https:\/\/arxiv.org\/pdf\/2002.01139.pdf. (2021). https:\/\/doi.org\/10.48550\/arXiv.2002.01139","DOI":"10.48550\/arXiv.2002.01139"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_1_8_1","unstructured":"github. 2020. GitHub. https:\/\/github.com\/. Accessed: 2022-03-09."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","unstructured":"Danielle Gonzalez Thomas Zimmermann Patrice Godefroid and Max Sch\u00e4fer. 2021. Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE 258\u2013267. https:\/\/doi.org\/10.1109\/ICSE-SEIP52600.2021.00035","DOI":"10.1109\/ICSE-SEIP52600.2021.00035"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Piergiorgio Ladisa Henrik Plate Matias Martinez and Olivier Barais. 2022. Taxonomy of Attacks on Open-Source Software Supply Chains. arXiv preprint arXiv:2204.04008(2022).","DOI":"10.1145\/3560835.3564546"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom53373.2021.00091"},{"key":"e_1_3_2_1_12_1","unstructured":"Microsoft. 2020. OSS Detect Backdoor. https:\/\/github.com\/microsoft\/OSSGadget\/wiki\/OSS-Detect-Backdoor."},{"key":"e_1_3_2_1_13_1","unstructured":"Microsoft. 2020. OSS Gadget: Collection of tools for analyzing open source packages. https:\/\/github.com\/microsoft\/OSSGadget."},{"key":"e_1_3_2_1_14_1","unstructured":"npm Inc.2019. npm. https:\/\/www.npmjs.com\/. Accessed: 2022-03-08."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Marc Ohm Lukas Kempf Felix Boes and Michael Meier. 2020. Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation. arXiv preprint arXiv:2011.02235(2020).","DOI":"10.1145\/3407023.3409183"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_17_1","unstructured":"Synopsys. 2021. Open Source Security and Risk Analysis Report. https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/reports\/2020-ossra-report.pdf. (2021)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-65745-1_7"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678526"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468592"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417232"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3420015"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00074"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Nusrat Zahan Laurie Williams Thomas Zimmermann Patrice Godefroid Brendan Murphy and Chandra Maddila. 2021. What are Weak Links in the npm Supply Chain?arXiv preprint arXiv:2112.10165(2021).","DOI":"10.1145\/3510457.3513044"}],"event":{"name":"ARES 2022: The 17th International Conference on Availability, Reliability and Security","location":"Vienna Austria","acronym":"ARES 2022"},"container-title":["Proceedings of the 17th International Conference on Availability, Reliability and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3538969.3543815","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3538969.3543815","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:59:57Z","timestamp":1750186797000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3538969.3543815"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,23]]},"references-count":24,"alternative-id":["10.1145\/3538969.3543815","10.1145\/3538969"],"URL":"https:\/\/doi.org\/10.1145\/3538969.3543815","relation":{},"subject":[],"published":{"date-parts":[[2022,8,23]]},"assertion":[{"value":"2022-08-23","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}