{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:05:20Z","timestamp":1755907520054,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":86,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Postdoctoral Fellowship Program of CPSF","award":["GZC20231361"],"award-info":[{"award-number":["GZC20231361"]}]},{"DOI":"10.13039\/501100006374","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2054657,CNS- 2317830,OAC-231997"],"award-info":[{"award-number":["CNS-2054657,CNS- 2317830,OAC-231997"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3670366","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"482-496","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Toward Understanding the Security of Plugins in Continuous Integration Services"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-5951-1948","authenticated-orcid":false,"given":"Xiaofan","family":"Li","sequence":"first","affiliation":[{"name":"The University of Delaware, Newark, DE, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2221-5689","authenticated-orcid":false,"given":"Yacong","family":"Gu","sequence":"additional","affiliation":[{"name":"Tsinghua University QI-ANXIN Group, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7491-310X","authenticated-orcid":false,"given":"Chu","family":"Qiao","sequence":"additional","affiliation":[{"name":"The University of Delaware, Newark, DE, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9025-3460","authenticated-orcid":false,"given":"Zhenkai","family":"Zhang","sequence":"additional","affiliation":[{"name":"Clemson University, Clemson, SC, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9660-4444","authenticated-orcid":false,"given":"Daiping","family":"Liu","sequence":"additional","affiliation":[{"name":"Palo Alto Networks, Santa Clara, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7445-9103","authenticated-orcid":false,"given":"Lingyun","family":"Ying","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0083-733X","authenticated-orcid":false,"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-2574-029X","authenticated-orcid":false,"given":"Xing","family":"Gao","sequence":"additional","affiliation":[{"name":"The University of Delaware, Newark, DE, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2024. Continuous Integration Solutions Market Size. https:\/\/www.mordorintelligence.com\/industry-reports\/continuous-integration-toolsmarket"},{"key":"e_1_3_2_1_2_1","unstructured":"Ionut Arghire. 2024. Major IT Crypto Firms Exposed to Supply Chain Compromise via New Class of CI\/CD Attack. https:\/\/www.securityweek.com\/major-itcrypto-firms-exposed-to-supply-chain-compromise-via-new-class-of-ci-cdattack\/? utm_source=dlvr.it&utm_medium=twitter"},{"key":"e_1_3_2_1_3_1","unstructured":"Home Assistant. 2024. Open source home automation that puts local control and privacy first. https:\/\/github.com\/home-assistant\/core"},{"key":"e_1_3_2_1_4_1","unstructured":"Atlassian. 2023. Bitbucket Cloud Variables and Secrets. https:\/\/support.atlassian.com\/bitbucket-cloud\/docs\/variables-and-secrets\/"},{"key":"e_1_3_2_1_5_1","unstructured":"AvaloniaUI. 2024. Avalonia. https:\/\/github.com\/AvaloniaUI\/Avalonia\/blob\/master\/azure-pipelines.yml#L9"},{"key":"e_1_3_2_1_6_1","volume-title":"Automatic Security Assessment of GitHub Actions Workflows. In 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses.","author":"Benedetti Giacomo","year":"2022","unstructured":"Giacomo Benedetti, Luca Verderame, and Alessio Merlo. 2022. Automatic Security Assessment of GitHub Actions Workflows. In 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses."},{"key":"e_1_3_2_1_7_1","unstructured":"Bertus. 2018. Cryptocurrency Clipboard Hijacker Discovered in PyPI Repository. https:\/\/bertusk.medium.com\/cryptocurrency-clipboard-hijackerdiscovered- in-pypi-repository-b66b8a534a8"},{"key":"e_1_3_2_1_8_1","unstructured":"GitHub Blog. 2017. GitHub Data Ready for You to Explore with Big- Query. https:\/\/github.blog\/2017-01--19-github-data-ready-for-you-to-explorewith- bigquery\/"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_10_1","unstructured":"IEEE S&P 2024 CFP. 2024. Ethical Considerations for Vulnerability Disclosure. https:\/\/sp2024.ieee-security.org\/cfpapers.html"},{"key":"e_1_3_2_1_11_1","unstructured":"CircleCI. 2024. CircleCI Orb Registry. https:\/\/circleci.com\/developer\/orbs"},{"key":"e_1_3_2_1_12_1","unstructured":"CodeQL. 2024. CodeQL. https:\/\/codeql.github.com\/"},{"key":"e_1_3_2_1_13_1","unstructured":"curl. 2024. curl. https:\/\/github.com\/curl\/curl"},{"key":"e_1_3_2_1_14_1","volume-title":"2018 USENIX Security Symposium.","author":"Davis James C","year":"2018","unstructured":"James C Davis, Eric R Williamson, and Dongyoon Lee. 2018. A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning. In 2018 USENIX Security Symposium."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_1_16_1","unstructured":"Dependabot. 2024. Dependabot Automated dependency updates built into GitHub. https:\/\/github.com\/dependabot"},{"key":"e_1_3_2_1_17_1","unstructured":"GitLab Documentation. 2023. Projects API - GitLab. https:\/\/docs.gitlab.com\/ee\/ api\/projects.html"},{"key":"e_1_3_2_1_18_1","unstructured":"GitLab Documentation. 2023. Repository Files API - GitLab. https:\/\/docs.gitlab. com\/ee\/api\/repository_files.html"},{"key":"e_1_3_2_1_19_1","unstructured":"dreamli0. 2024. dreamli0\/Inter-Job-PoC. https:\/\/github.com\/dreamli0\/Inter-Job- PoC\/blob\/main\/.github\/workflows\/blank.yml"},{"key":"e_1_3_2_1_20_1","volume-title":"Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 2021 Network and Distributed System Security Symposium.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 2021 Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_21_1","unstructured":"enlyft. 2024. Companies using Azure Pipelines. https:\/\/enlyft.com\/tech\/products\/ azure-pipelines"},{"key":"e_1_3_2_1_22_1","volume-title":"Continuous Integration Theater. In 2019 ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement.","author":"Felidr\u00e9 Wagner","year":"2019","unstructured":"Wagner Felidr\u00e9, Leonardo Furtado, Daniel A da Costa, Bruno Cartaxo, and Gustavo Pinto. 2019. Continuous Integration Theater. In 2019 ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510150"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_1_25_1","volume-title":"Use and Misuse of Continuous Integration Features: An Empirical Study of Projects That (Mis)Use Travis CI. 2020 IEEE Transactions on Software Engineering","author":"Gallaba Keheliya","year":"2020","unstructured":"Keheliya Gallaba and Shane McIntosh. 2020. Use and Misuse of Continuous Integration Features: An Empirical Study of Projects That (Mis)Use Travis CI. 2020 IEEE Transactions on Software Engineering (2020)."},{"volume-title":"Doc Hash-function-transition: Pick SHA-256 as NewHash. https:\/\/lore. kernel.org\/git\/20180725083024.16131--3-avarab@gmail.com\/","year":"2018","key":"e_1_3_2_1_26_1","unstructured":"Git. 2018. Doc Hash-function-transition: Pick SHA-256 as NewHash. https:\/\/lore. kernel.org\/git\/20180725083024.16131--3-avarab@gmail.com\/"},{"key":"e_1_3_2_1_27_1","unstructured":"Git. 2024. Choice of Hash. https:\/\/git-scm.com\/docs\/hash-function-transition# _choice_of_hash"},{"key":"e_1_3_2_1_28_1","unstructured":"Git. 2024. Git Tools - Revision Selection. https:\/\/git-scm.com\/book\/en\/v2\/Git- Tools-Revision-Selection#Short-SHA-1"},{"key":"e_1_3_2_1_29_1","unstructured":"Git. 2024. Hash Function Transition Background. https:\/\/git-scm.com\/docs\/hashfunction- transition#_background"},{"key":"e_1_3_2_1_30_1","unstructured":"GitHub. 2023. Encrypted secrets - GitHub Docs. https:\/\/docs.github.com\/en\/ actions\/security-guides\/encrypted-secrets"},{"key":"e_1_3_2_1_31_1","unstructured":"GitHub. 2024. About Self-hosted Runners - GitHub Doc. https:\/\/docs.github. com\/en\/actions\/hosting-your-own-runners\/about-self-hosted-runners"},{"key":"e_1_3_2_1_32_1","unstructured":"GitHub. 2024. Assigning permissions to jobs - GitHub Doc. https:\/\/docs.github. com\/en\/actions\/using-jobs\/assigning-permissions-to-jobs"},{"key":"e_1_3_2_1_33_1","unstructured":"GitHub. 2024. Bug Report. https:\/\/support.github.com\/contact\/bug-report"},{"key":"e_1_3_2_1_34_1","unstructured":"GitHub. 2024. Changing Your GitHub Username - GitHub Doc. https:\/\/docs.github.com\/en\/account-and-profile\/setting-up-and-managingyour- github-user-account\/managing-user-account-settings\/changing-yourgithub- username"},{"key":"e_1_3_2_1_35_1","unstructured":"GitHub. 2024. Get a user. https:\/\/api.github.com\/users\/{USERNAME}"},{"key":"e_1_3_2_1_36_1","unstructured":"GitHub. 2024. GitHub Actions Marketplace. https:\/\/github.com\/marketplace? type=actions"},{"key":"e_1_3_2_1_37_1","unstructured":"GitHub. 2024. GitHub Actions Reusing workflows. https:\/\/docs.github.com\/en\/ actions\/using-workflows\/reusing-workflows"},{"key":"e_1_3_2_1_38_1","unstructured":"GitHub. 2024. GitHub Docs - Get a repository. https:\/\/docs.github.com\/en\/rest\/ repos\/repos?apiVersion=2022--11--28#get-a-repository"},{"key":"e_1_3_2_1_39_1","unstructured":"GitHub. 2024. Setting your commit email address on GitHub. https: \/\/docs.github.com\/en\/account-and-profile\/setting-up-and-managing-yourpersonal- account-on-github\/managing-email-preferences\/setting-yourcommit- email-address"},{"key":"e_1_3_2_1_40_1","unstructured":"GitHub. 2024. Transferring a Repository. https:\/\/docs.github.com\/en\/ repositories\/creating-and-managing-repositories\/transferring-a-repository"},{"key":"e_1_3_2_1_41_1","unstructured":"GitHub. 2024. Understanding the risk of script injections - GitHub Docs. https:\/\/docs.github.com\/en\/actions\/security-guides\/security-hardeningfor- github-actions#understanding-the-risk-of-script-injections"},{"key":"e_1_3_2_1_42_1","unstructured":"GitHub. 2024. A user does not set a public email address. https:\/\/api.github.com\/ users\/dynamoose"},{"key":"e_1_3_2_1_43_1","unstructured":"GitHub. 2024. Using Third-party Actions. https:\/\/docs.github.com\/en\/actions\/ security-guides\/security-hardening-for-github-actions#using-third-partyactions"},{"key":"e_1_3_2_1_44_1","unstructured":"GitLab. 2024. GitLab Docs - Get single project. https:\/\/docs.gitlab.com\/ee\/api\/ projects.html#get-single-project\/"},{"key":"e_1_3_2_1_45_1","unstructured":"GitLab. 2024. Job permissions - Permissions and roles. https:\/\/docs.gitlab.com\/ ee\/user\/permissions.html#job-permissions"},{"key":"e_1_3_2_1_46_1","unstructured":"GitLab. 2024. Use CI\/CD configuration from other files. https:\/\/docs.gitlab.com\/ ee\/ci\/yaml\/includes.html"},{"key":"e_1_3_2_1_47_1","unstructured":"GitLab.org. 2024. GitLab. https:\/\/gitlab.com\/gitlab-org\/gitlab"},{"key":"e_1_3_2_1_48_1","volume-title":"Continuous Intrusion: Characterizing the Security of Continuous Integration Services. In 2023 IEEE Symposium on Security and Privacy.","author":"Gu Yacong","year":"2023","unstructured":"Yacong Gu, Lingyun Ying, Huajun Chai, Chu Qiao, Haixin Duan, and Xing Gao. 2023. Continuous Intrusion: Characterizing the Security of Continuous Integration Services. In 2023 IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_49_1","volume-title":"Investigating Package Related Security Threats in Software Registries. In 2023 IEEE Symposium on Security and Privacy.","author":"Gu Yacong","year":"2023","unstructured":"Yacong Gu, Lingyun Ying, Yingyuan Pu, Xiao Hu, Huajun Chai, Ruimin Wang, Xing Gao, and Haixin Duan. 2023. Investigating Package Related Security Threats in Software Registries. In 2023 IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_50_1","volume-title":"An Empirical Study of Malicious Code In PyPI Ecosystem. In 2023 IEEE\/ACM International Conference on Automated Software Engineering.","author":"Guo Wenbo","year":"2023","unstructured":"Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu. 2023. An Empirical Study of Malicious Code In PyPI Ecosystem. In 2023 IEEE\/ACM International Conference on Automated Software Engineering."},{"key":"e_1_3_2_1_51_1","unstructured":"HackerOne. 2024. HackerOne | #1 Trusted Security Platform and Hacker Program. https:\/\/www.hackerone.com"},{"key":"e_1_3_2_1_52_1","unstructured":"JI Hejderup. 2015. In Dependencies We Trust: How Vulnerable Are Dependencies in Software Modules?"},{"key":"e_1_3_2_1_53_1","unstructured":"Open Source Insights. 2024. Open Source Insights Understand your dependencies. https:\/\/deps.dev\/\/"},{"key":"e_1_3_2_1_54_1","unstructured":"JanDeDobbeleer. 2024. oh-my-posh. https:\/\/github.com\/JanDeDobbeleer\/ohmy- posh"},{"key":"e_1_3_2_1_55_1","volume-title":"Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In 2017 ACM SIGSAC Conference on Computer and Communications Security.","author":"Kintis Panagiotis","year":"2017","unstructured":"Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-G\u00f3mez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In 2017 ACM SIGSAC Conference on Computer and Communications Security."},{"key":"e_1_3_2_1_56_1","volume-title":"Characterizing the Security of Github CI Workflows. In 2022 USENIX Security Symposium.","author":"Koishybayev Igibek","year":"2022","unstructured":"Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry. 2022. Characterizing the Security of Github CI Workflows. In 2022 USENIX Security Symposium."},{"key":"e_1_3_2_1_57_1","volume-title":"SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In 2023 IEEE Symposium on Security and Privacy.","author":"Ladisa Piergiorgio","year":"2023","unstructured":"Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. 2023. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. In 2023 IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_58_1","unstructured":"Ravie Lakshmanan. 2021. Malicious NPM Libraries Caught Installing Password Stealer and Ransomware. https:\/\/thehackernews.com\/2021\/10\/malicious-npmlibraries- caught.html"},{"key":"e_1_3_2_1_59_1","volume-title":"Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms. In 2022 IEEE Symposium on Security and Privacy.","author":"Li Zhi","year":"2022","unstructured":"Zhi Li, Weijie Liu, Hongbo Chen, XiaoFeng Wang, Xiaojing Liao, Luyi Xing, Mingming Zha, Hai Jin, and Deqing Zou. 2022. Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms. In 2022 IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00085"},{"key":"e_1_3_2_1_61_1","volume-title":"Exploring the Unchartered Space of Container Registry Typosquatting. In 2022 USENIX Security Symposium.","author":"Liu Guannan","year":"2022","unstructured":"Guannan Liu, Xing Gao, Haining Wang, and Kun Sun. 2022. Exploring the Unchartered Space of Container Registry Typosquatting. In 2022 USENIX Security Symposium."},{"key":"e_1_3_2_1_62_1","volume-title":"Characterizing Secret Leakage in Public GitHub Repositories. In 2019 Network and Distributed System Security Symposium.","author":"Meli Michael","year":"2019","unstructured":"Michael Meli, Matthew R McNiece, and Bradley Reaves. 2019. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. In 2019 Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_63_1","unstructured":"Microsoft. 2024. Developer Community. https:\/\/developercommunity.visualstudio. com"},{"key":"e_1_3_2_1_64_1","volume-title":"ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions. In 2023 USENIX Security Symposium.","author":"Muralee Siddharth","year":"2023","unstructured":"Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry. 2023. ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions. In 2023 USENIX Security Symposium."},{"key":"e_1_3_2_1_65_1","unstructured":"npm Docs. 2022. npm-unpublish. https:\/\/docs.npmjs.com\/cli\/v8\/commands\/npmunpublish"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA-C.2019.00026"},{"key":"e_1_3_2_1_67_1","unstructured":"Azure Pipelines. 2024. Azure Pipelines Extensions. https:\/\/marketplace. visualstudio.com\/search?target=AzureDevOps&category=Azure%20Pipelines"},{"key":"e_1_3_2_1_68_1","unstructured":"Azure Pipelines. 2024. Azure Pipelines Templates. https:\/\/learn.microsoft.com\/enus\/ azure\/devops\/pipelines\/process\/templates?view=azure-devops&pivots= templates-includes#use-other-repositories"},{"key":"e_1_3_2_1_69_1","unstructured":"Tom Preston-Werner. 2023. Semantic Versioning 2.0.0. https:\/\/semver.org\/"},{"key":"e_1_3_2_1_70_1","unstructured":"GH Archive Project. 2023. GH Archive. https:\/\/www.gharchive.org\/"},{"key":"e_1_3_2_1_71_1","unstructured":"Mitmproxy Project. 2024. mitmproxy - an interactive HTTPS proxy. https: \/\/mitmproxy.org\/"},{"key":"e_1_3_2_1_72_1","unstructured":"pytorch. 2024. pytorch. https:\/\/github.com\/pytorch\/pytorch"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00033"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMSNETS48256.2020.9027350"},{"key":"e_1_3_2_1_75_1","unstructured":"scala-steward action. 2024. scala-steward-org\/scala-steward-action. https:\/\/github. com\/scala-steward-org\/scala-steward-action"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_77_1","unstructured":"SHAttered. 2017. SHAttered. https:\/\/shattered.io\/"},{"key":"e_1_3_2_1_78_1","volume-title":"Detecting and Mitigating Secret-Key Leaks in Source Code Repositories. In 2015 IEEE\/ACM Working Conference on Mining Software Repositories.","author":"Sinha Vibha Singhal","year":"2015","unstructured":"Vibha Singhal Sinha, Diptikalyan Saha, Pankaj Dhoolia, Rohan Padhye, and Senthil Mani. 2015. Detecting and Mitigating Secret-Key Leaks in Source Code Repositories. In 2015 IEEE\/ACM Working Conference on Mining Software Repositories."},{"key":"e_1_3_2_1_79_1","volume-title":"Freezing theWeb: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 2018 USENIX Security Symposium.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing theWeb: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 2018 USENIX Security Symposium."},{"key":"e_1_3_2_1_80_1","volume-title":"SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In 2018 Network and Distributed System Security Symposium.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In 2018 Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_81_1","unstructured":"Donald Stufft. 2015. Closing the Delete File Re-upload File Loophole. https: \/\/mail.python.org\/pipermail\/distutils-sig\/2015-January\/025683.html"},{"key":"e_1_3_2_1_82_1","volume-title":"Automated Reporting of Anti-Patterns and Decay in Continuous Integration. In 2019 IEEE\/ACM International Conference on Software Engineering.","author":"Vassallo Carmine","year":"2019","unstructured":"Carmine Vassallo, Sebastian Proksch, Harald C Gall, and Massimiliano Di Penta. 2019. Automated Reporting of Anti-Patterns and Decay in Continuous Integration. In 2019 IEEE\/ACM International Conference on Software Engineering."},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409709"},{"key":"e_1_3_2_1_84_1","volume-title":"Bad Snakes: Understanding and Improving Python Package Index Malware Scanning. In 2023 IEEE\/ACM International Conference on Software Engineering.","author":"Vu Duc-Ly","year":"2023","unstructured":"Duc-Ly Vu, Zachary Newman, and John Speed Meyers. 2023. Bad Snakes: Understanding and Improving Python Package Index Malware Scanning. In 2023 IEEE\/ACM International Conference on Software Engineering."},{"key":"e_1_3_2_1_85_1","volume-title":"An Empirical Characterization of Bad Practices in Continuous Integration. 2020 Empirical Software Engineering","author":"Zampetti Fiorella","year":"2020","unstructured":"Fiorella Zampetti, Carmine Vassallo, Sebastiano Panichella, Gerardo Canfora, Harald Gall, and Massimiliano Di Penta. 2020. An Empirical Characterization of Bad Practices in Continuous Integration. 2020 Empirical Software Engineering (2020)."},{"key":"e_1_3_2_1_86_1","volume-title":"2019 USENIX Security Symposium.","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 2019 USENIX Security Symposium."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Salt Lake City UT USA","acronym":"CCS '24"},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670366","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3670366","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T05:53:06Z","timestamp":1755841986000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670366"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":86,"alternative-id":["10.1145\/3658644.3670366","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3670366","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}