August 26
Do you really want to know what happens inside your dependencies?

Building software on top of open‑source libraries and packages has become the norm. Modern languages and frameworks, like Python, Node.js, Go, Rust encourage developers to just “download and execute” whatever is offered by third‑party repositories without thinking much about the consequences.

The latest incidents with packages like node‑ipc, CTX show that these consequences may be quite severe, and these are just the cases we know about.

This talk will describe an automated system that the researchers built for monitoring and searching for malicious changes in npm, PyPi, and Crates packages, the challenges they faced and their solutions. The speakers will present the current results and the most interesting discoveries detected in the repositories.