{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T09:58:48Z","timestamp":1775815128607,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,10,27]],"date-time":"2024-10-27T00:00:00Z","timestamp":1729987200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,10,27]]},"DOI":"10.1145\/3691620.3695262","type":"proceedings-article","created":{"date-parts":[[2024,10,18]],"date-time":"2024-10-18T15:39:19Z","timestamp":1729265959000},"page":"1990-2001","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Towards Robust Detection of Open Source Software Supply Chain Poisoning Attacks in Industry Environments"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-5792-8897","authenticated-orcid":false,"given":"Xinyi","family":"Zheng","sequence":"first","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6312-8601","authenticated-orcid":false,"given":"Chen","family":"Wei","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3818-3343","authenticated-orcid":false,"given":"Shenao","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8793-5367","authenticated-orcid":false,"given":"Yanjie","family":"Zhao","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-8255-7926","authenticated-orcid":false,"given":"Peiming","family":"Gao","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-8396-8833","authenticated-orcid":false,"given":"Yuanchao","family":"Zhang","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3977-6573","authenticated-orcid":false,"given":"Kailong","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1100-8633","authenticated-orcid":false,"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]}],"member":"320","published-online":{"date-parts":[[2024,10,27]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Aarnav M. Bos. 2023. A Review of Attacks Against Language-Based Package Managers. arXiv:2302.08959 [cs.SE] https:\/\/arxiv.org\/abs\/2302.08959"},{"key":"e_1_3_2_1_2_1","unstructured":"DataDog. 2024. GuardDog. https:\/\/github.com\/DataDog\/guarddog. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_3_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 28th Annual Network and Distributed System Security Symposium, NDSS. https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/ndss2021_1B-1_23055_paper.pdf"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_2_1_5_1","unstructured":"falcosecurity. 2024. What is Malware & How to Stay Protected from Malware Attacks. https:\/\/github.com\/falcosecurity\/falco. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_6_1","unstructured":"Python Software Foundation. 2024. The Python Package Index. https:\/\/pypi.org. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00135"},{"key":"e_1_3_2_1_9_1","volume-title":"DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping. arXiv preprint arXiv:2403.08334","author":"Huang Cheng","year":"2024","unstructured":"Cheng Huang, Nannan Wang, Ziyan Wang, Siqi Sun, Lingzi Li, Junren Chen, Qianchong Zhao, Jiaxuan Han, Zhen Yang, and Lei Shi. 2024. DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping. arXiv preprint arXiv:2403.08334 (2024)."},{"key":"e_1_3_2_1_10_1","unstructured":"Docker Hub. 2024. Node Docker Official Image. https:\/\/hub.docker.com\/_\/node. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_11_1","unstructured":"Docker Hub. 2024. Python Docker Official Image. https:\/\/hub.docker.com\/_\/python. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3473135"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3583119"},{"key":"e_1_3_2_1_14_1","volume-title":"ECOOP'97 --- Object-Oriented Programming, Mehmet Ak\u015fit and Satoshi Matsuoka (Eds.)","author":"Kiczales Gregor","unstructured":"Gregor Kiczales, John Lamping, Anurag Mendhekar, Chris Maeda, Cristina Lopes, Jean-Marc Loingtier, and John Irwin. 1997. Aspect-oriented programming. In ECOOP'97 --- Object-Oriented Programming, Mehmet Ak\u015fit and Satoshi Matsuoka (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 220--242."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3627106.3627138"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00073"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623166"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"e_1_3_2_1_20_1","unstructured":"lxyeternal. 2024. pypi_malregistry. https:\/\/github.com\/lxyeternal\/pypi_malregistry. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_21_1","unstructured":"lyvd. 2022. bandit4mal. https:\/\/github.com\/lyvd\/bandit4mal. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_22_1","unstructured":"Luke Mcbride. 2021. Are you still wondering about dependency confusion attacks? https:\/\/www.sonatype.com\/blog\/are-you-still-wondering-about-dependency-confusion-attacks. Accessed: 2024-07-15."},{"key":"e_1_3_2_1_23_1","unstructured":"microsoft. 2024. ApplicationInspector. https:\/\/github.com\/microsoft\/ApplicationInspector. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_24_1","unstructured":"microsoft. 2024. OSSGadget. https:\/\/github.com\/microsoft\/OSSGadget. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510124"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48987.2021.00065"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3623321"},{"key":"e_1_3_2_1_28_1","unstructured":"npm. 2024. NPM Official Registry. https:\/\/registry.npmjs.org. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3538969.3544415"},{"key":"e_1_3_2_1_30_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice","author":"Ohm Marc","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice, Leyla Bilge, Gianluca Stringhini, and Nuno Neves (Eds.). Springer International Publishing, Cham, 23--43."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3600160.3600162"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3409183"},{"key":"e_1_3_2_1_33_1","unstructured":"Open Source Security Foundation (OpenSSF). 2024. package-analysis. https:\/\/github.com\/ossf\/package-analysis. Accessed: 2024-07-15."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3329786"},{"key":"e_1_3_2_1_35_1","unstructured":"OSV. 2024. OSV Vulnerabilities Database. https:\/\/osv.dev\/list?q=&ecosystem=npm. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_36_1","unstructured":"Henrik Plate. 2020. OWASP Top 10 Risks for Open Source. https:\/\/www.endorlabs.com\/learn\/top-10-open-source-risks. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313752"},{"key":"e_1_3_2_1_39_1","unstructured":"Snyk. 2024. Snyk Vulnerability Database. https:\/\/security.snyk.io\/vuln\/npm. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_40_1","unstructured":"Socket. 2024. alerts. https:\/\/socket.dev\/alerts. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_41_1","unstructured":"Socket. 2024. Known malware. https:\/\/socket.dev\/alerts\/malware\/packages?ecosystem=npm&page=1. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_42_1","volume-title":"Introducing our 9th annual State of the Software Supply Chain report. https:\/\/www.sonatype.com\/blog\/introducing-our-9th-annual-state-of-the-software-supply-chain-report. Accessed: 2024-07-13","unstructured":"Sonatype. 2024. Introducing our 9th annual State of the Software Supply Chain report. https:\/\/www.sonatype.com\/blog\/introducing-our-9th-annual-state-of-the-software-supply-chain-report. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_43_1","unstructured":"Phylum Research Team. 2020. Typosquatting and Other Attacks Against Open Source Dependencies. https:\/\/blog.phylum.io\/malicious-packages-typosquatting-and-other-attacks-against-open-source-dependencies\/. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_44_1","volume-title":"Drew Davidson, and Vaibhav Rastogi.","author":"Vaidya Ruturaj K.","year":"2021","unstructured":"Ruturaj K. Vaidya, Lorenzo De Carli, Drew Davidson, and Vaibhav Rastogi. 2021. Security Issues in Language-based Software Ecosystems. arXiv:1903.02613 [cs.CR] https:\/\/arxiv.org\/abs\/1903.02613"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00052"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3420015"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00074"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513044"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"crossref","unstructured":"Junan Zhang Kaifeng Huang Bihuan Chen Chong Wang Zhenhao Tian and Xin Peng. 2023. Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence. arXiv:2309.02637 [cs.CR] https:\/\/arxiv.org\/abs\/2309.02637","DOI":"10.1145\/3705304"},{"key":"e_1_3_2_1_50_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 995--1010. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/zimmerman"},{"key":"e_1_3_2_1_51_1","volume-title":"Proceedings of the 28th USENIX Conference on Security Symposium","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Smallworld with high risks: a study of security threats in the npm ecosystem. In Proceedings of the 28th USENIX Conference on Security Symposium (Santa Clara, CA, USA) (SEC'19). USENIX Association, USA, 995--1010."}],"event":{"name":"ASE '24: 39th IEEE\/ACM International Conference on Automated Software Engineering","location":"Sacramento CA USA","acronym":"ASE '24","sponsor":["SIGAI ACM Special Interest Group on Artificial Intelligence","SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691620.3695262","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3691620.3695262","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:04:07Z","timestamp":1750291447000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691620.3695262"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,27]]},"references-count":51,"alternative-id":["10.1145\/3691620.3695262","10.1145\/3691620"],"URL":"https:\/\/doi.org\/10.1145\/3691620.3695262","relation":{},"subject":[],"published":{"date-parts":[[2024,10,27]]},"assertion":[{"value":"2024-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}