Table of Contents
Fetching ...

Bridging Expert Reasoning and LLM Detection: A Knowledge-Driven Framework for Malicious Packages

Wenbo Guo, Shiwen Song, Jiaxun Guo, Zhengzi Xu, Chengwei Liu, Haoran Ou, Mengmeng Ge, Yang Liu

TL;DR

IntelGuard addresses the rising threat of malicious packages in open-source registries by bridging expert threat intelligence with automated detection through retrieval-augmented generation. It builds a structured knowledge base from 8,024 threat reports, capturing malicious code, behavioral descriptions, and expert reasoning chains, and applies LLM-guided semantic analysis with RAG to detect pre-installation maliciousness. The framework achieves near-SOTA accuracy (≈99%) with very low false positives and demonstrates strong obfuscation robustness (≈96.5%), including real-world deployment that uncovered 54 previously unknown malicious packages. This knowledge-driven approach provides interpretable, adaptable detection suitable for PyPI and npm ecosystems, with tangible security impact and potential for extension to additional software supply chains.

Abstract

Open-source ecosystems such as NPM and PyPI are increasingly targeted by supply chain attacks, yet existing detection methods either depend on fragile handcrafted rules or data-driven features that fail to capture evolving attack semantics. We present IntelGuard, a retrieval-augmented generation (RAG) based framework that integrates expert analytical reasoning into automated malicious package detection. IntelGuard constructs a structured knowledge base from over 8,000 threat intelligence reports, linking malicious code snippets with behavioral descriptions and expert reasoning. When analyzing new packages, it retrieves semantically similar malicious examples and applies LLM-guided reasoning to assess whether code behaviors align with intended functionality. Experiments on 4,027 real-world packages show that IntelGuard achieves 99% accuracy and a 0.50% false positive rate, while maintaining 96.5% accuracy on obfuscated code. Deployed on PyPI.org, it discovered 54 previously unreported malicious packages, demonstrating interpretable and robust detection guided by expert knowledge.

Bridging Expert Reasoning and LLM Detection: A Knowledge-Driven Framework for Malicious Packages

TL;DR

IntelGuard addresses the rising threat of malicious packages in open-source registries by bridging expert threat intelligence with automated detection through retrieval-augmented generation. It builds a structured knowledge base from 8,024 threat reports, capturing malicious code, behavioral descriptions, and expert reasoning chains, and applies LLM-guided semantic analysis with RAG to detect pre-installation maliciousness. The framework achieves near-SOTA accuracy (≈99%) with very low false positives and demonstrates strong obfuscation robustness (≈96.5%), including real-world deployment that uncovered 54 previously unknown malicious packages. This knowledge-driven approach provides interpretable, adaptable detection suitable for PyPI and npm ecosystems, with tangible security impact and potential for extension to additional software supply chains.

Abstract

Open-source ecosystems such as NPM and PyPI are increasingly targeted by supply chain attacks, yet existing detection methods either depend on fragile handcrafted rules or data-driven features that fail to capture evolving attack semantics. We present IntelGuard, a retrieval-augmented generation (RAG) based framework that integrates expert analytical reasoning into automated malicious package detection. IntelGuard constructs a structured knowledge base from over 8,000 threat intelligence reports, linking malicious code snippets with behavioral descriptions and expert reasoning. When analyzing new packages, it retrieves semantically similar malicious examples and applies LLM-guided reasoning to assess whether code behaviors align with intended functionality. Experiments on 4,027 real-world packages show that IntelGuard achieves 99% accuracy and a 0.50% false positive rate, while maintaining 96.5% accuracy on obfuscated code. Deployed on PyPI.org, it discovered 54 previously unreported malicious packages, demonstrating interpretable and robust detection guided by expert knowledge.
Paper Structure (30 sections, 6 equations, 3 figures, 9 tables)

This paper contains 30 sections, 6 equations, 3 figures, 9 tables.

Figures (3)

  • Figure 1: Framework of the IntelGuard
  • Figure 2: Package Ecosystem Comparison
  • Figure 3: PyPI security team confirmation for readosso-0.1.0 removal