Package Hunter: Free tool to find malware o malicious code in open source code when you copy/paste a code

A few days ago GitLab announced the release of Package Hunter, a new open source tool for identifying potentially malicious code in web development dependencies. This tool will help developers prevent the inclusion of harmful creations in their projects considering that the use of open source libraries and the reuse of code are very common practices nowadays.

Some applications rely on a few hundred packages, some of which are not examined with due care. These weaknesses can be abused by threat actors in supply chain attacks, a variant of hacking that has shown considerable increase in recent months.

GitLab teams hope the tool will make it more efficient to detect malicious code that would run on an application’s dependencies and that is hard to find using other popular scanning tools.

Package Hunter dependencies are installed in a sandbox environment, from which system calls executed during the installation of new packages or libraries are closely monitored to identify potential cybersecurity risks. The tool has been used internally on GitLab since late 2020 and will now be available to general users.

It should be mentioned that the tool has some prerequisites for its installation, including:

  • Falco 0.23.0 (newer versions may be incompatible)
  • Docker 20.10 or newer
  • Node v12.21 or newer

For installation, users must follow this process:

  • Download and install Vagrant for the corresponding operating system
  • Open a terminal and navigate to the Package Hunter project directory
  • Run the vagrant up command and wait for initialization to finish
  • A virtual machine ready to run Package Hunter will be created. Next you need to run the vagrant ssh command to get a command shell on the guest VM
  • Inside the guest machine, run cd/vagrant to go to the project files
  • Run the npm ci command

The use of this tool is very simple:

  • On the host machine, run vagrant ssh if you do not already have an SSH session on the guest machine
  • Run NODE_ENV =development DEBUG=pkgs*node src/server.js to run the Package Hunter web server on port 3000

A detailed guide to using Package Hunter is available on the official GitLab site.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.