Lorenzo De Carli

Large-scale open-source software ecosystems, such as npm for JavaScript and PyPI for Python, are critical entities in the software supply chain. They provide a convenient ecosystem for developers to build their software by integrating external functionality as dependencies. While convenient, this style of software-building also presents risks. The scale of these ecosystems makes it easy for attackers to hide malicious code which can carry into highly popular packages, oftentimes hidden deep into dependency chains. In our work, we aim at building an understanding of security issues in this context, and propose remediations for the most pressing issues. Our work has looked at the issues of typosquatting (check out our NSS 2020 and our USENIX Security 2023 papers), insecure forking practices (ICSE 2022), and package install-time attacks (AsiaCCS 2022). Collaborators: Drew Davidson (KU), Ann Barcomb (UCalgary).