Towards the Detection of Malicious Java Packages

TL;DR

This paper proposes static analysis indicators for detecting malicious Java packages by examining bytecode, demonstrating their effectiveness through experiments with real-world payloads injected into popular libraries.

Contribution

It introduces novel static indicators for malicious Java code detection and evaluates their performance in identifying injected malicious payloads.

Findings

String analysis in constant pool aids detection

Sensitive API usage indicates malicious behavior

Indicators reduce manual triage effort

Abstract

Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect such attacks is ongoing research. Despite its popularity, the Java ecosystem is the less explored one in the context of supply chain attacks. In this paper we present indicators of malicious behavior that can be observed statically through the analysis of Java bytecode. Then we evaluate how such indicators and their combinations perform when detecting malicious code injections. We do so by injecting three malicious payloads taken from real-world examples into the Top-10 most popular Java libraries from libraries.io. We found that the analysis of strings in the constant pool and of sensitive APIs in the bytecode instructions aid in the task of detecting malicious Java packages by significantly reducing the information, thus, making also manual triage possible.