Comment on page
Multi-layered threat analysis
The key concepts behind the analysis approaches powering listen.dev
listen.dev is powered by a best-in-class detection engine that use a mix of techniques such as behavioural analysis, runtime monitoring (using eBPF), static and metadata analysis to detect adversarial activity at the earliest stages before it impacts your systems.
We maintain an index of packages published on open source package registries (such as npm) and constantly monitor them through our analysis pipelines and threat research team.
- For every new package version that gets published upstream, we analyzes its behaviour inside sandboxed environments on our infrastructure. We use kernel-level monitoring to profile network, process, and filesystem activities, as well as other behavioural signals.
- We also keep a track of any behavioral changes between subsequent releases of a package, and flag any tampering or suspicious updates in newly published versions.
- Provide information to users capturing relevant context (such as execution traces and priority levels) on detected behaviors.
This enables us to provide comprehensive and accurate insights into the security of open source packages, allowing you to make informed decisions before using in your codebase.
We watch for common attack vectors, known indicators of harmful behavior as well as unknown threats including:
- Install scripts (with runtime execution context)
- Spawning of suspicious child processes
- Sensitive data/credential exfiltration (e.g malicious code exfiltrating environment variables or secrets)
- Suspicious network connections (e.g. pulling a malicious payload from an unauthorized source)
- Suspicious filesystem access (e.g. tampering/reading contents of sensitive directories such as .ssh)
- Detection of crypto-mining activity
Our starting coverage is on threats that trigger during the installation/build phase, which is the stage where 3rd party open source code gets bundled with internal application code.
listen.dev provides the first line of defense against a range of known and unknown supply chain threats, including:
- Typo-squatting
- Dependency confusion
- Dependency poisoning through malware
- Package & maintainer hijacking
- Spam and troll packages
The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.
- Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.
- If a package contains unknown vulnerabilities (e.g. a recent backdoor, malware or zero-day) it is in most cases already too late to contain the harm as some of these databases are updated after the information is publicly available.
Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.
Last modified 5mo ago