What was the last npm package you installed? Did anything unexpected happen? Are you sure?

The scale and pace of modern software development are made possible by the ready availability of open-source packages via major registries like npm and PyPI. These registries are always within reach of developers thanks to command-line package managers like npm and pip, enabling rapid testing and deployment of third-party code as part of normal workflows. However, these benefits come at the cost of particular security concerns: threat actors routinely target software developers via open-source package registries, either by publishing backdoored packages or by taking over and corrupting legitimate software. In many such supply-chain attacks, merely installing the malicious package is enough to hand control of one’s system over to the adversary.

In this talk, we lay out the strategies that threat actors use when targeting software developers via open-source package registries. We do so by examining case-studies in open-source malware delivery via npm and PyPI, some involving nation-state actors, that we at Datadog Security Research have collected while continuously monitoring these ecosystems with GuardDog, an open-source scanner for identifying malicious packages by analyzing code patterns and package metadata. We then propose recommendations for developers, as well as for the package registries themselves, to counter these strategies that could lead to a greater overall level of software supply-chain security in the open-source community.