Comment on page
listen.dev provides comprehensive coverage against common attack vectors and known indicators of harmful behavior, as well as unknown and emerging threats.
Static analysis of package code against a set of heuristics covering modern supply chain threats
Metadata analysis of upstream OSS repos against a set of heuristics covering modern supply chain risks
listen.dev also supports advisories for known vulnerabilities published in vulnerability databases.
Our starting coverage is on threats that trigger during installation of packages in the build phase-- the stage where 3rd-party libraries get bundled with internal application code. These threats can compromise development environments and CI/CD systems, or can be used by the attacker as an entrypoint to infiltrate production applications and infrastructure.
Threats that trigger during build processes in CI/CD environments
If a malicious package gets installed during the build, an attacker can perform some of these activities in the context of the build system:
- Steal code and any hardcoded sensitive data along with it.
- Plant a backdoor in code to be used after the code is deployed to the production environment.
- Steal compute resources like CPU, RAM, etc. for activities like crypto mining.
- Steal environment variables, sensitive files, credentials, certificates, etc.
- Perform lateral movement and privilege escalation with the data collected.
listen.dev provides protection against such threats through the following approach:
- 1.Monitoring builds to define baseline behavior: listen.dev profiles the behavior of dependencies (including network, filesystem, and process activities) in your CI pipeline to understand their benign state in trusted environments.
- 2.Detect Drift: we continuously scan for any deviations from the established baseline, detecting unusual activities such as unexpected file modifications, connections to suspicious URLs, or the use of potentially malicious (or tampered) binaries.
- 3.Proactive defense: in case of anomalous changes in package behavior, we alert users pre-emptively inside their workflows before the package is downloaded in downstream environments. This ensures early detection of vulnerabilities and maintains the integrity of development infra.
- 4.Policy enforcement: listen.dev enables safe development practices at scale and protects software integrity through policy-based controls to block the completion of suspicious builds. This allows for prompt remediation in the development process.
Last modified 4mo ago