{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T02:44:00Z","timestamp":1769913840746,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":33,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605770.3625211","type":"proceedings-article","created":{"date-parts":[[2023,11,23]],"date-time":"2023-11-23T11:46:12Z","timestamp":1700739972000},"page":"41-49","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":12,"title":["Differential Static Analysis for Detecting Malicious Updates to Open Source Packages"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-1398-1583","authenticated-orcid":false,"given":"Fabian Niklas","family":"Froh","sequence":"first","affiliation":[{"name":"Ludwig-Maximilians-Universit\u00e4t M\u00fcnchen (LMU Munich), Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-8823-0029","authenticated-orcid":false,"given":"Mat\u00edas Federico","family":"Gobbi","sequence":"additional","affiliation":[{"name":"Bundeswehr University Munich & Ludwig-Maximilians-Universit\u00e4t M\u00fcnchen (LMU Munich), Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8594-7839","authenticated-orcid":false,"given":"Johannes","family":"Kinder","sequence":"additional","affiliation":[{"name":"Ludwig-Maximilians-Universit\u00e4t M\u00fcnchen (LMU Munich), Munich, Germany"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Pranay Ahlawat Johannes Boyne Dominik Herz Florian Schmieg and Michael Stephan. 2021. Why You Need an Open Source Software Strategy. https:\/\/www.bcg.com\/publications\/2021\/open-source-software-strategy-benefits Accessed: 2023-07--12."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517208.3523753"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.62"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ECOOP.2016.2"},{"key":"e_1_3_2_1_5_1","volume-title":"I Know What You Imported Last Summer: A study of security threats in the Python ecosystem. CoRR","author":"Bagmar Aadesh","year":"2021","unstructured":"Aadesh Bagmar, Josiah Wedgwood, Dave Levin, and Jim Purtilo. 2021. I Know What You Imported Last Summer: A study of security threats in the Python ecosystem. CoRR , Vol. abs\/2102.06301 (2021)."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM51674.2020.00027"},{"key":"e_1_3_2_1_7_1","unstructured":"Adam Bannister. 2021. Popular NPM package UA-Parser-JS poisoned with cryptomining password-stealing malware. https:\/\/portswigger.net\/daily-swig\/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware Accessed: 2023-07--12."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2023.3286301"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598050"},{"key":"e_1_3_2_1_10_1","volume-title":"7th IEEE Int. Working Conf. Source Code Analysis and Manipulation (SCAM","author":"de Moor Oege","year":"2007","unstructured":"Oege de Moor, Mathieu Verbaere, Elnar Hajiyev, Pavel Avgustinov, Torbjö rn Ekman, Neil Ongkingco, Damien Sereni, and Julian Tibble. 2007. Keynote Address: .QL for Source Code Analysis. In 7th IEEE Int. Working Conf. Source Code Analysis and Manipulation (SCAM 2007). IEEE Computer Society."},{"key":"e_1_3_2_1_11_1","unstructured":"Idan Digmi. 2023. The rising trend of malicious packages in open source ecosystems. https:\/\/snyk.io\/blog\/malicious-packages-open-source-ecosystems\/ Accessed: 2023-07--12."},{"key":"e_1_3_2_1_12_1","volume-title":"Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 28th Annu. Network and Distributed System Security Symposium (NDSS). The Internet Society.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 28th Annu. Network and Distributed System Security Symposium (NDSS). The Internet Society."},{"key":"e_1_3_2_1_13_1","volume-title":"Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis. In 8th European Symp. Security and Privacy (EuroS&P). IEEE.","author":"Dunlap Trevor","year":"2023","unstructured":"Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves. 2023. Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis. In 8th European Symp. Security and Privacy (EuroS&P). IEEE."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_1_16_1","unstructured":"GitHub. 2021. CodeQL code scanning: new severity levels for security alerts. https:\/\/github.blog\/changelog\/2021-07--19-codeql-code-scanning-new-severity-levels-for-security-alerts\/ Accessed: 2023-07--12."},{"key":"e_1_3_2_1_17_1","volume-title":"Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. In 43rd Int. Conf. Software Engineering (ICSE). IEEE.","author":"Gonzalez Danielle","year":"2021","unstructured":"Danielle Gonzalez, Thomas Zimmermann, Patrice Godefroid, and Max Sch\"afer. 2021. Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub. In 43rd Int. Conf. Software Engineering (ICSE). IEEE."},{"key":"e_1_3_2_1_18_1","volume-title":"23rd Int. Symp. Research in Attacks, Intrusions and Defenses (RAID","author":"Koishybayev Igibek","year":"2020","unstructured":"Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd Int. Symp. Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534380"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3497764"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_22_1","volume-title":"You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js. CoRR","author":"Ohm Marc","year":"1976","unstructured":"Marc Ohm, Timo Pohl, and Felix Boes. 2023. You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js. CoRR , Vol. abs\/2305.19760 (2023)."},{"key":"e_1_3_2_1_23_1","unstructured":"Andrey Polkovnychenko and Shachar Menashe. 2022. Npm Supply Chain Attack Targets Germany-based Companies with Dangerous Backdoor Malware. https:\/\/jfrog.com\/blog\/npm-supply-chain-attack-targets-german-based-companies\/ Accessed: 2023-07--12."},{"key":"e_1_3_2_1_24_1","volume-title":"Malware Monthly -","author":"Relations Sonatype Developer","year":"2023","unstructured":"Sonatype Developer Relations. 2023. Malware Monthly - March 2023. https:\/\/blog.sonatype.com\/malware-monthly-march-2023 Accessed: 2023-07--12."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3543815"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_27_1","volume-title":"Proc. 32nd USENIX Security Symposium. USENIX Association.","author":"Shcherbakov Mikhail","year":"2023","unstructured":"Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js. In Proc. 32nd USENIX Security Symposium. USENIX Association."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1137983.1138014"},{"key":"e_1_3_2_1_29_1","unstructured":"Martin Woodward. 2022. Octoverse 2022: 10 years of tracking open source. https:\/\/github.blog\/2022--11--17-octoverse-2022--10-years-of-tracking-open-source\/ Accessed: 2023-07--12."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2435349.2435364"},{"key":"e_1_3_2_1_31_1","volume-title":"44th Int. Conf. Software Engineering (ICSE). IEEE.","author":"Zahan Nusrat","unstructured":"Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Shekhar Maddila, and Laurie A. Williams. 2022. What are Weak Links in the npm Supply Chain?. In 44th Int. Conf. Software Engineering (ICSE). IEEE."},{"key":"e_1_3_2_1_32_1","volume-title":"Postmortem for Malicious Packages Published on July 12th","author":"Zhu Henry","year":"2018","unstructured":"Henry Zhu. 2018. Postmortem for Malicious Packages Published on July 12th, 2018. https:\/\/eslint.org\/blog\/2018\/07\/postmortem-for-malicious-package-publishes\/ Accessed: 2023-07--12."},{"key":"e_1_3_2_1_33_1","volume-title":"Proc. 28th USENIX Security Symposium. USENIX Association.","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In Proc. 28th USENIX Security Symposium. USENIX Association."}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625211","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605770.3625211","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:18Z","timestamp":1750178178000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625211"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":33,"alternative-id":["10.1145\/3605770.3625211","10.1145\/3605770"],"URL":"https:\/\/doi.org\/10.1145\/3605770.3625211","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}