Links

Threat detection

The key concepts behind the analysis approaches powering listen.dev
listen.dev is powered by a best-in-class detection engine that use a mix of techniques such as behavioural analysis, runtime monitoring (using eBPF), static and metadata analysis to detect adversarial activity at the earliest stages before it impacts your systems.

How does the detection work?

We maintain an index of packages published on open source package registries (such as npm) and constantly monitor them through our analysis pipelines and threat research team.
  • For every new package version that gets published upstream, we analyzes its behaviour inside sandboxed environments on our infrastructure. We use kernel-level monitoring to profile network, process, and filesystem activities, as well as other behavioural signals.
  • We also keep a track of any behavioral changes between subsequent releases of a package, and flag any tampering or suspicious updates in newly published versions.
  • Provide information to users capturing relevant context (such as execution traces and priority levels) on detected behaviors.
This enables us to provide comprehensive and accurate insights into the security of open source packages, allowing you to make informed decisions before using in your codebase.

What kind of harmful behaviours are detected?

We watch for common attack vectors, known indicators of harmful behavior as well as unknown threats including:
  • Install scripts (with runtime execution context)
  • Spawning of suspicious child processes
  • Sensitive data/credential exfiltration (e.g malicious code exfiltrating environment variables or secrets)
  • Suspicious network connections (e.g. pulling a malicious payload from an unauthorized source)
  • Suspicious filesystem access (e.g. tampering/reading contents of sensitive directories such as .ssh)
  • Detection of crypto-mining activity
See complete list here
Our starting coverage is on threats that trigger during the installation/build phase, which is the stage where 3rd party open source code gets bundled with internal application code.
The most common method for malware delivery on npm is through the install scripts which allow for arbitrary code execution on host systems. According to 2022 paper, 94% of malicious packages contained at least one install script. Read more about this attack vector in this blog post.
If you have any specific requests or feedback, please reach out to us.

What kind of attacks does it protect against?

listen.dev provides the first line of defense against a range of known and unknown supply chain threats, including:
  • Typo-squatting
  • Dependency confusion
  • Dependency poisoning through malware
  • Package & maintainer hijacking
  • Spam and troll packages

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.
  • Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.
  • If a package contains unknown vulnerabilities (e.g. a recent backdoor, malware or zero-day) it is in most cases already too late to contain the harm as some of these databases are updated after the information is publicly available.
Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.
Last modified 10d ago
© 2023 Garnet Labs