{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:08:27Z","timestamp":1755907707095,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":106,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,12,4]],"date-time":"2023-12-04T00:00:00Z","timestamp":1701648000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"NSF Grants","award":["2054692"],"award-info":[{"award-number":["2054692"]}]},{"name":"DHS","award":["Securely Updating Automobiles"],"award-info":[{"award-number":["Securely Updating Automobiles"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,12,4]]},"DOI":"10.1145\/3627106.3627129","type":"proceedings-article","created":{"date-parts":[[2023,12,2]],"date-time":"2023-12-02T18:13:22Z","timestamp":1701540802000},"page":"83-97","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update Systems"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-3252-1104","authenticated-orcid":false,"given":"Marina","family":"Moore","sequence":"first","affiliation":[{"name":"New York University, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9999-5076","authenticated-orcid":false,"given":"Trishank Karthik","family":"Kuppusamy","sequence":"additional","affiliation":[{"name":"Datadog, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1926-8544","authenticated-orcid":false,"given":"Justin","family":"Cappos","sequence":"additional","affiliation":[{"name":"New York University, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,12,4]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/155183.155225"},{"key":"e_1_3_2_1_2_1","volume-title":"NPM Hijackers at It Again: Popular \u2018coa","author":"Aguirre Juan","year":"2021","unstructured":"Juan Aguirre. 2021. NPM Hijackers at It Again: Popular \u2018coa\u2019 and \u2018rc\u2019 Open Source Libraries Taken Over to Spread Malware. https:\/\/blog.sonatype.com\/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware. sonatype blog (2021)."},{"key":"e_1_3_2_1_3_1","unstructured":"Apache Infrastructure Team. 2009. apache.org incident report for 8\/28\/2009. https:\/\/blogs.apache.org\/infra\/entry\/apache_org_downtime_report."},{"key":"e_1_3_2_1_4_1","unstructured":"Apache Infrastructure Team. 2010. apache.org incident report for 04\/09\/2010. https:\/\/blogs.apache.org\/infra\/entry\/apache_org_04_09_2010."},{"key":"e_1_3_2_1_5_1","unstructured":"apt 2021. add-apt-repository."},{"key":"e_1_3_2_1_6_1","unstructured":"ArchWiki. 2022. Official Repositories. https:\/\/wiki.archlinux.org\/title\/Official_repositories."},{"key":"e_1_3_2_1_7_1","unstructured":"Argon. [n. d.]. 2021 Software Supply Chain Security Report. Technical Report. Argon: An Aqua Company. https:\/\/info.aquasec.com\/argon-supply-chain-attacks-study"},{"key":"e_1_3_2_1_8_1","unstructured":"Brad Arkin. 2012. Adobe to Revoke Code Signing Certificate. https:\/\/blogs.adobe.com\/conversations\/2012\/09\/adobe-to-revoke-code-signing-certificate.html."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2013.53"},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of the 23rd National Conference on Information Systems Security (12","author":"Barka Ezedin","year":"2000","unstructured":"Ezedin Barka and Ravi S. 2000. A Role-Based Delegation Model and Some Extensions. Proceedings of the 23rd National Conference on Information Systems Security (12 2000)."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.31"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180453"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180453"},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of USENIX Hot Topics in Security (HotSec)","author":"Bellissimo Anthony","year":"2006","unstructured":"Anthony Bellissimo, John Burgess, and Kevin Fu. 2006. Secure software updates: disappointments and new challenges. Proceedings of USENIX Hot Topics in Security (HotSec) (2006)."},{"key":"e_1_3_2_1_15_1","unstructured":"bottlerocket 2019. Bottlerocket update infrastructure. https:\/\/github.com\/bottlerocket-os\/bottlerocket\/tree\/develop\/sources\/updater."},{"key":"e_1_3_2_1_16_1","unstructured":"Daniel Burrows. 2005. Modelling and resolving software dependencies. https:\/\/people.debian.org\/\u00a0dburrows\/model.pdf."},{"key":"e_1_3_2_1_17_1","volume-title":"The 21st Large Installation System Administration Conference, LISA\u201907","author":"Cappos Justin","year":"2007","unstructured":"Justin Cappos, Scott Baker, Jeremy Plichta, Duy Nyugen, Jason Hardies, Matt Borgard, Jeffry Johnston, and John\u00a0H Hartman. 2007. Stork: package management for distributed VM environments. In The 21st Large Installation System Administration Conference, LISA\u201907."},{"key":"e_1_3_2_1_18_1","unstructured":"Justin Cappos Trishank\u00a0Karthik Kuppusamy Joshua Lock Marina Moore and Lukas P\u00fchringer. 2022. The Update Framework Specification. Specification. https:\/\/theupdateframework.github.io\/specification\/latest\/"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_20_1","unstructured":"Justin Cappos Justin Samuel Scott Baker and John\u00a0H Hartman. 2008. Package management security. University of Arizona Technical Report (2008) 08\u201302."},{"key":"e_1_3_2_1_21_1","volume-title":"Stork: Secure Package Management for VM Environments. Dissertation","author":"Capppos Justin","year":"2008","unstructured":"Justin Capppos. 2008. Stork: Secure Package Management for VM Environments. Dissertation. University of Arizona."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.5555\/296806.296824"},{"volume-title":"Technical Report","author":"Information Technology Laboratory Computer Security\u00a0Resource Center","key":"e_1_3_2_1_23_1","unstructured":"Information Technology Laboratory Computer Security\u00a0Resource Center. 2021. Software Identification (SWID)Tagging. Technical Report. National Institute of Standards and Technology."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.113"},{"key":"e_1_3_2_1_25_1","unstructured":"Jonathan Corbet. 2011. The cracking of kernel.org. http:\/\/www.linuxfoundation.org\/news-media\/blogs\/browse\/2011\/08\/cracking-kernelorg."},{"key":"e_1_3_2_1_26_1","unstructured":"CoreOS Inc.[n. d.]. Quay Container Registry. https:\/\/quay.io\/."},{"key":"e_1_3_2_1_27_1","unstructured":"Debian. 2003. Debian Investigation Report after Server Compromises. https:\/\/www.debian.org\/News\/2003\/20031202."},{"key":"e_1_3_2_1_28_1","unstructured":"Debian. 2012. Security breach on the Debian wiki 2012-07-25. https:\/\/wiki.debian.org\/DebianWiki\/SecurityIncident2012."},{"key":"e_1_3_2_1_29_1","volume-title":"Society and Group Oriented Cryptography: A New Concept. In A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology(CRYPTO \u201987)","author":"Desmedt Yvo","year":"1987","unstructured":"Yvo Desmedt. 1987. Society and Group Oriented Cryptography: A New Concept. In A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology(CRYPTO \u201987). Springer-Verlag, Berlin, Heidelberg, 120\u2013127."},{"key":"e_1_3_2_1_30_1","unstructured":"Docker Inc.[n. d.]. Docker Hub. https:\/\/hub.docker.com\/."},{"key":"e_1_3_2_1_31_1","unstructured":"OWASP Foundation. 2021. CycloneDx. https:\/\/cyclonedx.org\/."},{"key":"e_1_3_2_1_32_1","volume-title":"Infrastructure report","author":"Frields W.","year":"2008","unstructured":"Paul\u00a0W. Frields. 2008. Infrastructure report, 2008-08-22 UTC 1200. https:\/\/www.redhat.com\/archives\/fedora-announce-list\/2008-August\/msg00012.html."},{"key":"e_1_3_2_1_33_1","unstructured":"Fuschia. 2021. Software Update System. Technical Report."},{"key":"e_1_3_2_1_34_1","volume-title":"For Good Measure: Counting Broken Links: A Quant\u2019s View of Software Supply Chain Security. login Usenix Mag. 45","author":"Geer Dan","year":"2020","unstructured":"Dan Geer, Bentz Tozer, and John\u00a0Speed Meyers. 2020. For Good Measure: Counting Broken Links: A Quant\u2019s View of Software Supply Chain Security. login Usenix Mag. 45 (2020)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243859"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446728"},{"key":"e_1_3_2_1_37_1","unstructured":"GitHub Inc.2012. Public Key Security Vulnerability and Mitigation. https:\/\/github.com\/blog\/1068-public-key-security-vulnerability-and-mitigation."},{"key":"e_1_3_2_1_38_1","unstructured":"GNU Savannah. 2010. Compromise2010. https:\/\/savannah.gnu.org\/maintenance\/Compromise2010\/."},{"key":"e_1_3_2_1_39_1","unstructured":"Dan Goodin. 2013. Attackers sign malware using crypto certificate stolen from Opera Software. http:\/\/arstechnica.com\/security\/2013\/06\/attackers-sign-malware-using-crypto-certificate-stolen-from-opera-software\/."},{"key":"e_1_3_2_1_40_1","unstructured":"Benjamin\u00a0N Grosof. 1997. Prioritized Conflict Handling for Logic Programs.. In ILPS Vol.\u00a097. 197\u2013211."},{"key":"e_1_3_2_1_41_1","volume-title":"SIGL: Securing Software Installations Through Deep Graph Learning. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Han Xueyuan","year":"2021","unstructured":"Xueyuan Han, Xiao Yu, Thomas Pasquier, Ding Li, Junghwan Rhee, James Mickens, Margo Seltzer, and Haifeng Chen. 2021. SIGL: Securing Software Installations Through Deep Graph Learning. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2345\u20132362. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/han-xueyuan"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/41625.41627"},{"key":"e_1_3_2_1_43_1","unstructured":"in-toto 2022. in-toto - A framework to secure the integrity of software supply chains. https:\/\/in-toto.io\/."},{"key":"e_1_3_2_1_44_1","unstructured":"Internet Security Research\u00a0Group (ISRG).2021. Let\u2019s Encrypt Stats. https:\/\/letsencrypt.org\/stats\/."},{"key":"e_1_3_2_1_45_1","volume-title":"A public-key cryptosystem suitable for digital multisignatures. NEC research & development","author":"K ITAKURA","year":"1983","unstructured":"K ITAKURA, K;\u00a0NAKAMURA. 1983. A public-key cryptosystem suitable for digital multisignatures. NEC research & development (1983)."},{"key":"e_1_3_2_1_46_1","volume-title":"Uptane Series","author":"Foundation Projects Joint Development","year":"2020","unstructured":"Joint Development Foundation Projects, LLC, Uptane Series. 2020. Adoptions. https:\/\/uptane.github.io\/adoptions.html."},{"key":"e_1_3_2_1_47_1","volume-title":"2nd USENIX Workshop on Free and Open Communications on the Internet","author":"Knockel Jeffrey","year":"2012","unstructured":"Jeffrey Knockel and Jedidiah\u00a0R Crandall. 2012. Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software: We\u2019re FOCI\u2019d. In Presented as part of the 2nd USENIX Workshop on Free and Open Communications on the Internet (Bellevue, WA). USENIX, Berkeley, CA. https:\/\/www.usenix.org\/conference\/foci12\/protecting-free-and-open-communications-internet-against-man-middle-attacks-third"},{"volume-title":"Case Study: IBM Building an Image Trust Service on Kubernetes with Notary and TUF. https:\/\/v1-18.docs.kubernetes.io\/case-studies\/ibm\/.","year":"2018","key":"e_1_3_2_1_48_1","unstructured":"Kubernetes. 2018. Case Study: IBM Building an Image Trust Service on Kubernetes with Notary and TUF. https:\/\/v1-18.docs.kubernetes.io\/case-studies\/ibm\/."},{"key":"e_1_3_2_1_49_1","unstructured":"Trishank\u00a0Karthik Kuppusamy. 2019. Secure Publication of Datadog Agent Integrations with TUF and in-toto. https:\/\/www.datadoghq.com\/blog\/engineering\/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto\/."},{"key":"e_1_3_2_1_50_1","volume-title":"Mercury: Bandwidth-Effective Prevention of Rollback Attacks against Community Repositories. In USENIX ATC \u201917 (Santa Clara, CA, USA)","author":"Kuppusamy Trishank\u00a0Karthik","year":"2017","unstructured":"Trishank\u00a0Karthik Kuppusamy, Vladimir Diaz, and Justin Cappos. 2017. Mercury: Bandwidth-Effective Prevention of Rollback Attacks against Community Repositories. In USENIX ATC \u201917 (Santa Clara, CA, USA). USENIX Association, USA, 673\u2013688."},{"key":"e_1_3_2_1_51_1","unstructured":"Trishank\u00a0Karthik Kuppusamy Vladimir Diaz Donald Stufft and Justin Cappos. 2013. PEP 458 \u2013 Securing the Link from PyPI to the End User. https:\/\/www.python.org\/dev\/peps\/pep-0458\/."},{"key":"e_1_3_2_1_52_1","unstructured":"Trishank\u00a0Karthik Kuppusamy Santiago Torres-Arias Vladimir Diaz and Justin Cappos. [n. d.]. Diplomat: Using Delegations to Protect Community Repositories. Technical Report TR-CSE-2016-01. Computer Science and Engineering Tandon School of Engineering New York University. http:\/\/isis.poly.edu\/\u00a0jcappos\/papers\/TR-CSE-2016-01.pdf"},{"key":"e_1_3_2_1_53_1","volume-title":"13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16)","author":"Kuppusamy Trishank\u00a0Karthik","year":"2016","unstructured":"Trishank\u00a0Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using Delegations to Protect Community Repositories. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX Association, Santa Clara, CA, 567\u2013581. https:\/\/www.usenix.org\/conference\/nsdi16\/technical-sessions\/presentation\/kuppusamy"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.00010"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/138873.138874"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/138873.138874"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03298-1_3"},{"key":"e_1_3_2_1_58_1","volume-title":"Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation -","volume":"6","author":"Li Jinyuan","year":"2004","unstructured":"Jinyuan Li, Maxwell Krohn, David Mazi\u00e8res, and Dennis Shasha. 2004. Secure untrusted data repository (SUNDR). In Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6 (San Francisco, CA) (OSDI\u201904). USENIX Association, Berkeley, CA, USA, 9\u20139. http:\/\/dl.acm.org\/citation.cfm?id=1251254.1251263"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.5555\/1973430.1973440"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2003.818808"},{"key":"e_1_3_2_1_61_1","volume-title":"Delegation Logic: A Logic-based Approach to Distributed Authorization. Ph.\u00a0D. Dissertation","author":"Li Ninghui","year":"2000","unstructured":"Ninghui Li. 2000. Delegation Logic: A Logic-based Approach to Distributed Authorization. Ph.\u00a0D. Dissertation. New York University."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSFW.1999.779771"},{"key":"e_1_3_2_1_63_1","volume-title":"Computer Security Foundations Workshop, 1999. Proceedings of the 12th IEEE. IEEE, 162\u2013174","author":"Li Ninghui","year":"1999","unstructured":"Ninghui Li, Joan Feigenbaum, and Benjamin\u00a0N Grosof. 1999. A logic-based knowledge representation for authorization with delegation. In Computer Security Foundations Workshop, 1999. Proceedings of the 12th IEEE. IEEE, 162\u2013174."},{"key":"e_1_3_2_1_64_1","unstructured":"Ninghui Li Benjamin\u00a0N. Grosof and Joan Feigenbaum. 2000. A Nonmonotonic Delegation Logic with Prioritized Conflict Handling. https:\/\/www.cs.purdue.edu\/homes\/ninghui\/papers\/old\/d2lp.pdf."},{"key":"e_1_3_2_1_65_1","unstructured":"Ninghui Li Benjamin\u00a0N. Grosof and Joan Feigenbaum. 2000. A Nonmonotonic Delegation Logic with Prioritized Conflict Handling. https:\/\/www.cs.purdue.edu\/homes\/ninghui\/papers\/old\/d2lp.pdf."},{"key":"e_1_3_2_1_66_1","unstructured":"Hannes Magnusson. 2010. The PHP project and Code Review. http:\/\/bjori.blogspot.com\/2010\/12\/php-project-and-code-review.html."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/501983.502017"},{"key":"e_1_3_2_1_68_1","unstructured":"Microsoft Inc.2012. Flame malware collision attack explained. http:\/\/blogs.technet.com\/b\/srd\/archive\/2012\/06\/06\/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx."},{"key":"e_1_3_2_1_69_1","unstructured":"Matt Mullenweg. 2011. Passwords Reset. https:\/\/wordpress.org\/news\/2011\/06\/passwords-reset\/."},{"key":"e_1_3_2_1_70_1","unstructured":"npm Inc.[n. d.]. npm. https:\/\/www.npmjs.com\/."},{"key":"e_1_3_2_1_71_1","unstructured":"Jarrod Overson. 2019. How Two Malicious NPM Packages Targeted & Sabotaged Others. https:\/\/jsoverson.medium.com\/how-two-malicious-npm-packages-targeted-sabotaged-one-other-fed7199099c8."},{"key":"e_1_3_2_1_72_1","unstructured":"pacman 2021. pacman.conf."},{"key":"e_1_3_2_1_73_1","unstructured":"pear 2022. When PHP Went Pear Shaped- The PHP PEAR Compromise. https:\/\/blog.cpanel.com\/when-php-went-pear-shaped-the-php-pear-compromise\/."},{"key":"e_1_3_2_1_74_1","unstructured":"Python Software Foundation. [n. d.]. PyPI - the Python Package Index: Python Package Index. https:\/\/pypi.python.org\/pypi."},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"crossref","unstructured":"Red Hat Inc.2008. Infrastructure report 2008-08-22 UTC 1200. https:\/\/rhn.redhat.com\/errata\/RHSA-2008-0855.html.","DOI":"10.1055\/s-2008-1078558"},{"key":"e_1_3_2_1_76_1","unstructured":"Redacted. [n. d.]. Redacted for anonymous submission."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-72540-4_13"},{"key":"e_1_3_2_1_78_1","unstructured":"RubyGems.org. 2013. Data Verification. http:\/\/blog.rubygems.org\/2013\/01\/31\/data-verification.html."},{"key":"e_1_3_2_1_79_1","volume-title":"Hal L\u00a0Feinstein Coyne, and Charles\u00a0E. Youman","author":"Ravi","year":"1996","unstructured":"Ravi S, Edward\u00a0J Sandhu, Hal L\u00a0Feinstein Coyne, and Charles\u00a0E. Youman. 1996. Role Based Access Control Models. In Computer. 38\u201347."},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866315"},{"key":"e_1_3_2_1_81_1","unstructured":"James Sanders. 2019. Malicious libraries in package repositories reveal a fundamental security flaw. https:\/\/www.techrepublic.com\/article\/malicious-libraries-in-package-repositories-reveal-a-fundamental-security-flaw\/."},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0065-2458(08)60206-5"},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.485845"},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/98163.98167"},{"key":"e_1_3_2_1_85_1","unstructured":"CNCF\u00a0TAG Security. 2021. Catalog of Supply Chain Compromises. https:\/\/github.com\/cncf\/tag-security\/tree\/main\/supply-chain-security\/compromises."},{"key":"e_1_3_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359176"},{"key":"e_1_3_2_1_87_1","volume-title":"Linux, macOS Devices. https:\/\/blog.sonatype.com\/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices. sonatype blog","author":"Sharma Ax","year":"2021","unstructured":"Ax Sharma. 2021. Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices. https:\/\/blog.sonatype.com\/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices. sonatype blog (2021)."},{"key":"e_1_3_2_1_88_1","unstructured":"Ax Sharma. 2021. Researcher hacks over 35 tech firms in novel supply chain attack. https:\/\/www.bleepingcomputer.com\/news\/security\/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack\/."},{"key":"e_1_3_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45539-6_15"},{"key":"e_1_3_2_1_90_1","unstructured":"Sigstore. 2021. A new standard for signing verifying and protecting software. https:\/\/www.sigstore.dev\/."},{"key":"e_1_3_2_1_91_1","unstructured":"Slashdot Media. 2012. phpMyAdmin corrupted copy on Korean mirror server. https:\/\/sourceforge.net\/blog\/phpmyadmin-back-door\/."},{"key":"e_1_3_2_1_92_1","volume-title":"Security incident on Fedora infrastructure on","author":"Smith K.","year":"2011","unstructured":"Jared\u00a0K. Smith. 2011. Security incident on Fedora infrastructure on 23 Jan 2011. https:\/\/lists.fedoraproject.org\/pipermail\/announce\/2011-January\/002911.html."},{"key":"e_1_3_2_1_93_1","unstructured":"Snyk. 2022. CVE-2022-23812. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-23812."},{"key":"e_1_3_2_1_94_1","unstructured":"socket 2022. Socket - Secure your JavaScript Supply Chain. https:\/\/socket.dev\/."},{"key":"e_1_3_2_1_95_1","unstructured":"SuperOleg39. 2021. Security issue: compromised npm packages of ua-parser-js (0.7.29 0.8.0 1.0.0) - Questions about deprecated npm package ua-parser-js. https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536."},{"key":"e_1_3_2_1_96_1","volume-title":"Open source maintainer pulls the plug on npm packages colors and faker, now what?https:\/\/snyk.io\/blog\/open-source-npm-packages-colors-faker\/. snyk blog","author":"Tal Liran","year":"2022","unstructured":"Liran Tal and Assaf\u00a0Ben Josef. 2022. Open source maintainer pulls the plug on npm packages colors and faker, now what?https:\/\/snyk.io\/blog\/open-source-npm-packages-colors-faker\/. snyk blog (2022)."},{"key":"e_1_3_2_1_97_1","unstructured":"National Telecommunications and Information Administration. 2021. Software Bill of Materials. https:\/\/www.ntia.gov\/SBOM."},{"key":"e_1_3_2_1_98_1","unstructured":"The FreeBSD Project. 2012. FreeBSD.org intrusion announced November 17th 2012. http:\/\/www.freebsd.org\/news\/2012-compromise.html."},{"volume-title":"php.net security notice","author":"The PHP Group","key":"e_1_3_2_1_99_1","unstructured":"The PHP Group. 2011. php.net security notice. http:\/\/www.php.net\/archive\/2011.php#id2011-03-19-1."},{"volume-title":"A further update on php.net","author":"The PHP Group","key":"e_1_3_2_1_100_1","unstructured":"The PHP Group. 2013. A further update on php.net. http:\/\/php.net\/archive\/2013.php#id2013-10-24-2."},{"key":"e_1_3_2_1_101_1","volume-title":"28th USENIX Security Symposium(USENIX Sec\u201919)","author":"Torres-Arias S","year":"2019","unstructured":"S Torres-Arias, H Nanize, T Kuppusamy, R Curtmola, and J Cappos. 2019. in-toto: providing farm-to-table security properties for bits and bytes. In 28th USENIX Security Symposium(USENIX Sec\u201919)."},{"key":"e_1_3_2_1_102_1","unstructured":"Ubuntu 2018. Ubuntu Sources List Generator. https:\/\/repogen.simplylinux.ch\/index.php."},{"key":"e_1_3_2_1_103_1","unstructured":"Laurie Voss. 2014. Newly Paranoid Maintainers. http:\/\/blog.npmjs.org\/post\/80277229932\/newly-paranoid-maintainers."},{"key":"e_1_3_2_1_104_1","unstructured":"Warehouse. 2022. BigQuery Datasets. https:\/\/warehouse.pypa.io\/api-reference\/bigquery-datasets.html."},{"key":"e_1_3_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1109\/SRDS.2015.31"},{"key":"e_1_3_2_1_106_1","unstructured":"SPDX Workgroup. 2021. The Software Package Data Exchange. Technical Report. The Linux Foundation."}],"event":{"name":"ACSAC '23: Annual Computer Security Applications Conference","acronym":"ACSAC '23","location":"Austin TX USA"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627129","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3627106.3627129","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T17:38:55Z","timestamp":1755884335000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3627106.3627129"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,4]]},"references-count":106,"alternative-id":["10.1145\/3627106.3627129","10.1145\/3627106"],"URL":"https:\/\/doi.org\/10.1145\/3627106.3627129","relation":{},"subject":[],"published":{"date-parts":[[2023,12,4]]},"assertion":[{"value":"2023-12-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}