With our increasing reliance on third-party software, our supply chain has become very complex and comes with a large number of risks that have led to many high-profile supply chain attacks. Different breaches have different causes and involve multiple steps to execute a supply chain attack. To secure our supply chain and ecosystem, we should adopt an adversarial mindset. In this research, we studied the npm ecosystem from the views of a data-driven attacker, focusing on how an attacker would use and assess the publicly available information to identify the weakest link in a software supply chain and then execute a large supply chain attack. 

The Scorecard project auto-generates a “security score” for OSS projects with a list of security check metrics to verify baseline security standards and generate valuable information about OSS threats and risks. We evaluated the OpenSSF Scorecard security metrics for the npm and PyPI ecosystems to assess the tool’s applicability, identify security gaps, and recommend practical, automated security adoption metrics for practitioners. Additionally, we extended our research to explore the impact of these security practices on overall product security outcomes.

Existing malicious code detection techniques often suffer from high misclassification rates. Therefore, malicious code detection techniques could be enhanced by adopting advanced, more automated approaches to achieve high accuracy and a low misclassification rate. We present SecurityAI, a malicious code review workflow to detect malicious code using ChatGPT models (GPT-3 and GPT-4). We constructed a benchmark dataset to validate our workflow and compare it with the state-of-the-art CodeQL static analysis tool.