Links
Comment on page

Issue coverage

listen.dev provides comprehensive coverage against common attack vectors and known indicators of harmful behavior, as well as unknown and emerging threats.
Key:
✅
released,
⌛
in progress,
📅
planned

Dynamic Package Behavior

Deep kernel-level monitoring of package behavior in sandboxed environments, powered by eBPF.
Outbound network connections
✅
​
Filesystem access
✅
​
Spawning child processes
✅
​
Sensitive data/credentials exfiltration
✅
​
Execution of install hooks / dynamic instrumentation
✅
​
Read more in dynamic analysis.
The checks mentioned below are currently in private beta. Please contact us for early access.

Package Source Code

Static analysis of package code against a set of heuristics covering modern supply chain threats
Suspicious URL strings
✅
​
Obfuscated code execution (base64)
✅
​
Detached process execution
✅
​
Env variable exfiltration
✅
​
Obfuscation (preview)
⌛
​
Long strings
⌛
​
Data exfiltration over network
⌛
​
Native code execution
⌛
​
Steganography
⌛
​
Downloading executable
⌛
​
Command overwrite
⌛
​

Package Metadata

Metadata analysis of upstream OSS repos against a set of heuristics covering modern supply chain risks
Empty README
✅
​
Non-npm dependency (http, git)
✅
​
Pre-release & unstable versions
✅
​
Skipped versions
✅
​
Repo mismatch
✅
​
Manifest confusion
✅
​
Spam package (preview)
⌛
​
Large upstream code changes
⌛
​
No tests
⌛
​
License Compliance (planned)
📅
Domain takeover
📅
​
S3 bucket takeover
📅
​

Known Vulnerabilities

listen.dev also supports advisories for known vulnerabilities published in vulnerability databases.
​CVE advisories ​
⌛
​
See examples of static and metadata checks in this section.
​

Why do you need proactive security at build-time?

Our starting coverage is on threats that trigger during installation of packages in the build phase-- the stage where 3rd-party libraries get bundled with internal application code. These threats can compromise development environments and CI/CD systems, or can be used by the attacker as an entrypoint to infiltrate production applications and infrastructure.
Threats that trigger during build processes in CI/CD environments
If a malicious package gets installed during the build, an attacker can perform some of these activities in the context of the build system:
  • Steal code and any hardcoded sensitive data along with it.
  • Plant a backdoor in code to be used after the code is deployed to the production environment.
  • Steal compute resources like CPU, RAM, etc. for activities like crypto mining.
  • Steal environment variables, sensitive files, credentials, certificates, etc.
  • Perform lateral movement and privilege escalation with the data collected.
listen.dev provides protection against such threats through the following approach:
  1. 1.
    Monitoring builds to define baseline behavior: listen.dev profiles the behavior of dependencies (including network, filesystem, and process activities) in your CI pipeline to understand their benign state in trusted environments.
  2. 2.
    Detect Drift: we continuously scan for any deviations from the established baseline, detecting unusual activities such as unexpected file modifications, connections to suspicious URLs, or the use of potentially malicious (or tampered) binaries.
  3. 3.
    Proactive defense: in case of anomalous changes in package behavior, we alert users pre-emptively inside their workflows before the package is downloaded in downstream environments. This ensures early detection of vulnerabilities and maintains the integrity of development infra.
  4. 4.
    Policy enforcement: listen.dev enables safe development practices at scale and protects software integrity through policy-based controls to block the completion of suspicious builds. This allows for prompt remediation in the development process.
​

Feedback and requests

Our team is constantly improving the ruleset and adding coverage for more attack vectors. If you have any specific requests or feedback, please reach out to us.​
Last modified 4mo ago
© 2023 Garnet Labs