QUT-DV25: A Dataset for Dynamic Analysis of Next-Gen Software Supply Chain Attacks

TL;DR

QUT-DV25 is a dynamic dataset capturing real-time behaviors of Python packages, including malicious ones, to improve detection of sophisticated supply chain attacks in software ecosystems.

Contribution

The paper introduces QUT-DV25, a novel dynamic analysis dataset that captures install and post-install behaviors of Python packages, including malicious ones, to enhance supply chain attack detection.

Findings

Identified four malicious packages with covert remote access and multi-phase payloads.

Demonstrated the dataset's effectiveness in detecting previously labeled benign packages.

Outperformed static and metadata-based datasets in threat detection accuracy.

Abstract

Securing software supply chains is a growing challenge due to the inadequacy of existing datasets in capturing the complexity of next-gen attacks, such as multiphase malware execution, remote access activation, and dynamic payload generation. Existing datasets, which rely on metadata inspection and static code analysis, are inadequate for detecting such attacks. This creates a critical gap because these datasets do not capture what happens during and after a package is installed. To address this gap, we present QUT-DV25, a dynamic analysis dataset specifically designed to support and advance research on detecting and mitigating supply chain attacks within the Python Package Index (PyPI) ecosystem. This dataset captures install and post-install-time traces from 14,271 Python packages, of which 7,127 are malicious. The packages are executed in an isolated sandbox environment using an extended Berkeley Packet Filter (eBPF) kernel and user-level probes. It captures 36 real-time features, that includes system calls, network traffic, resource usages, directory access patterns, dependency logs, and installation behaviors, enabling the study of next-gen attack vectors. ML analysis using the QUT-DV25 dataset identified four malicious PyPI packages previously labeled as benign, each with thousands of downloads. These packages deployed covert remote access and multi-phase payloads, were reported to PyPI maintainers, and subsequently removed. This highlights the practical value of QUT-DV25, as it outperforms reactive, metadata, and static datasets, offering a robust foundation for developing and benchmarking advanced threat detection within the evolving software supply chain ecosystem.