Skip to content

What Happens to Author Reputation When Malicious Packages are Taken Offline?

What happens to an author after a malicious package is discovered and taken offline? Nothing, aside from the individual malicious package being taken down.

Published on

Oct 18, 2021

Written by

Aaron Bray, CEO


There has been an unprecedented rise in malware identified throughout the open-source ecosystem. Over the last several months alone, thousands of bad packages have been removed from package managers for typosquatting or for containing overtly malicious content, such as password or credential stealing code.

When an open-source package is flagged and removed for malicious behavior, what happens to the author’s other packages?

Absolutely nothing.

Case in Point

A clear example of this type of event occurred in July 2021. An open-source contributor published a JavaScript package which, on installation, extracted and exfiltrated stored passwords from the Chrome web browser. The original incident is detailed here.

While this package was discovered and removed, the response to the incident stopped there. This type of incomplete response highlights a major capability gap in general understanding of the software supply chain.

Looking back at the July 2021 event, which by all observations appears to be viewed as resolved, we see several problems:

  1. The developer in question is still active and able to publish new packages without oversight.
  2. The developer in question has 20 other active packages in the wild available for use by unknowing developers and other packages.
  3. Potential users of packages authored by the developer in question have no reasonable mechanism to know of the developer’s past transgressions without specific knowledge of the event in July 2021.

No Governance

What does this mean for modern organizations, security policies, and the management of third-party code? Previously, it meant we could only hope that developers would keep track of all prior incidents and track associated authors to avoid depending on open-source software with significant author risk.

There is no current mechanism in NPM, GitHub or within any of the realm of SCA vendor products to correlate author behavior with endemic ecosystem issues, including the publication of active malware.

Phylum’s Approach

When we started Phylum, we were acutely aware of the challenges of tracking author behavior and security incidents. As a result, we carefully developed our Author Risk and Reputation score to integrate data from occurrences, such as the event discussed above, into an actionable score. This score enables users to defend themselves and their software from bad actors in the open-source ecosystem. Generating an Author Risk and Reputation score, however, requires thoughtful analysis that reflects author behaviors in a way that is useful to end users. We believe these efforts are a necessity, however, because reliance on untrusted code from strangers on the internet is here to stay.

Subscribe to our weekly
email newsletter

Subscribe to our weekly email newsletter

Latest Articles

Phylum Detects Active Typosquatting Campaign Targeting NPM Developers
Research   |   Oct 02, 2022

Phylum Detects Active Typosquatting Campaign Targeting NPM Developers

Phylum detects a large scale typosquat campaign targeting the NPM ec...

The Dependency Network Shows the Complexity of the Software Ecosystem
Research   |   Sep 29, 2022

The Dependency Network Shows the Complexity of the Software Ecosystem

Part 2 in a blog series that will explore the software dependency ne...

Open-Source Malware Is Bad, and You Should Feel Bad
Research   |   Sep 26, 2022

Open-Source Malware Is Bad, and You Should Feel Bad

It is no secret that malware is pervasive. What may come as a surpri...