{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T09:59:19Z","timestamp":1775815159948,"version":"3.50.1"},"reference-count":83,"publisher":"IEEE","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,5]]},"DOI":"10.1109\/icse43902.2021.00121","type":"proceedings-article","created":{"date-parts":[[2021,5,8]],"date-time":"2021-05-08T04:38:59Z","timestamp":1620448739000},"page":"1334-1346","source":"Crossref","is-referenced-by-count":39,"title":["Containing Malicious Package Updates in npm with a Lightweight Permission System"],"prefix":"10.1109","author":[{"given":"Gabriel","family":"Ferreira","sequence":"first","affiliation":[]},{"given":"Limin","family":"Jia","sequence":"additional","affiliation":[]},{"given":"Joshua","family":"Sunshine","sequence":"additional","affiliation":[]},{"given":"Christian","family":"Kastner","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818019"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3178372.3179527"},{"key":"ref71","first-page":"131","article-title":"Protecting Users by Confining JavaScript with COWL","author":"stefan","year":"2014","journal-title":"In Proc USENIX Symp Operating Systems Design and Impl (OSDI)"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09737-2"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420956"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23131"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/2554850.2554909"},{"key":"ref75","author":"viega","year":"2011","journal-title":"Building Secure Software How to Avoid Security Problems the Right Way"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-160544"},{"key":"ref78","year":"0","journal-title":"Renovate - Automated Dependency Updates"},{"key":"ref79","first-page":"351","article-title":"A Look at the Dynamics of the JavaScript Package Ecosystem","author":"wittern","year":"2016","journal-title":"2016 IEEE\/ACM 13th Conference on Mining Software Repositories (MSR)"},{"key":"ref33","article-title":"I’m harvesting credit card numbers and passwords from your site","author":"gilbertson","year":"2018","journal-title":"here’s how"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/1297027.1297033"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-NIER.2019.00012"},{"key":"ref30","article-title":"Preventing Capability Leaks in Secure JavaScript Subsets","author":"finifter","year":"2010","journal-title":"Proc Network and Distributed System Security Symp (NDSS)"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.36"},{"key":"ref36","first-page":"151","article-title":"GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for Javascript Code","author":"guarnieri","year":"2009","journal-title":"In Proc USENIX Conference on Security (SEC)"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664276"},{"key":"ref34","year":"0","journal-title":"Greenkeeper Automate your npm dependency management"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/1533057.1533067"},{"key":"ref62","author":"preston-werner","year":"2018","journal-title":"Semantic Versioning 2 0 0"},{"key":"ref61","first-page":"12","article-title":"ADsafety: Type-based Verification of JavaScript Sandboxing","author":"politz","year":"2011","journal-title":"In Proc USENIX Conference on Security (SEC)"},{"key":"ref63","first-page":"52","article-title":"The Eval That Men Do: A Large-scale Study of theUse of Eval in Javascript Applications","author":"richards","year":"2011","journal-title":"Proc European Conf Object-Oriented Programming (ECOOP '97)"},{"key":"ref28","first-page":"627","article-title":"Android Permissions Demystified. In Proc. Conf","author":"felt","year":"2011","journal-title":"Computer and Communications Security (CCS)"},{"key":"ref64","article-title":"npm hydra worm disclosure","author":"saccone","year":"2016","journal-title":"Google Tech Rep"},{"key":"ref27","author":"lint","year":"2018","journal-title":"Postmortem for Malicious Packages"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866315"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238159"},{"key":"ref29","first-page":"7","article-title":"The Effectiveness of Application Permissions","author":"felt","year":"2011","journal-title":"In Proc USENIX Conference on Web Application Development (WebApps)"},{"key":"ref67","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1145\/1508293.1508311","article-title":"Bitvisor: A Thin Hypervisor for Enforcing I\/O Device Security","author":"shinagawa","year":"2009","journal-title":"Proc Intl Conf Virtual Execution Environments"},{"key":"ref68","article-title":"Snyk Develop Fast","year":"0","journal-title":"Stay Secure"},{"key":"ref69","year":"2018","journal-title":"Malicious code found in npm package event-stream"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420952"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106267"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00050"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134059"},{"key":"ref23","author":"denbraver","year":"0","journal-title":"Code Execution Back Door Found in Ruby’s rest-client Library (blog post)"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00061"},{"key":"ref25","author":"dickson","year":"0","journal-title":"The Complete Package Everything You Need To Know About NPM Security (blog post)"},{"key":"ref50","article-title":"A Capability-based Module System for Authority Control","author":"melicher","year":"2017","journal-title":"Proc European Conf Object-Oriented Programming (ECOOP '97)"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"key":"ref59","author":"osmani","year":"2012","journal-title":"Learning JavaScript Design Patterns"},{"key":"ref58","author":"o\u2019rear","year":"0","journal-title":"Containerizing Node js Applications with Docker (blog post)"},{"key":"ref57","first-page":"348","article-title":"Assessing the Security of Node.js Platform","author":"ojamaa","year":"2012","journal-title":"In Proc Int’l Conf Internet Technology and Secured Transactions"},{"key":"ref56","year":"0","journal-title":"Requiring 2FA for Package Publishing and Settings Modification"},{"key":"ref55","year":"0","journal-title":"Auditing package dependencies for security vulnerabilities"},{"key":"ref54","first-page":"1271","article-title":"CHAINIAC: Proactive Softwareupdate Transparency via Collectively Signed Skipchains and Verified Builds","author":"nikitin","year":"2017","journal-title":"In Proc USENIX Conference on Security (SEC)"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115621"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.24"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10082-1_4"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950325"},{"key":"ref40","author":"hejderup","year":"2015","journal-title":"In dependencies we trust How vulnerable are dependencies in software modules?"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813684"},{"key":"ref14","author":"cimpanu","year":"0","journal-title":"Two Malicious Python Libraries Caught Stealing SSH and GPG Keys (blog post)"},{"key":"ref15","article-title":"An Empirical Study of Dependency Downgrades in the npm Ecosystem. IEEE Trans. Softw. Eng. (TSE) (2019","author":"cogo","year":"2019"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-90421-4_6"},{"key":"ref16","article-title":"ADsafe","author":"crockford","year":"2008"},{"key":"ref81","article-title":"Tailored Application-specific System Call Tables","author":"zeng","year":"2014","journal-title":"University of Pennsylvania Technical Report"},{"key":"ref17","article-title":"Trustworthy Proxies: Virtualizing Objects with Invariants","author":"cutsem","year":"2013","journal-title":"Proc European Conf Object-Oriented Programming (ECOOP '97)"},{"key":"ref18","author":"dahlstrom","year":"0","journal-title":"Using JSLint For Faster Safer Coding With Less Javascript Errors (blog post)"},{"key":"ref83","first-page":"995","article-title":"Small World with High Risks: A Study of Security Threats in the npm Ecosystem","author":"zimmermann","year":"2019","journal-title":"In USENIX Security Symposium"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2017.7884604"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09785-8"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/2103656.2103677"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.22"},{"key":"ref6","author":"baldwin","year":"2019","journal-title":"Plot to Steal Cryptocurrency Foiled by the npm Security Team"},{"key":"ref5","author":"baldwin","year":"2018","journal-title":"Reported malicious module getcookies"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23295"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/2351676.2351722"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2016.02.003"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23295"},{"key":"ref46","first-page":"24","article-title":"AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements","author":"louw","year":"2010","journal-title":"In Proc USENIX Conference on Security (SEC)"},{"key":"ref45","article-title":"25 Million Flows Later - Large-scale Detection of DOM-based XSS","author":"lekies","year":"2013","journal-title":"In Proc Conf on Computer and Communications Security (CCS"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2009.11"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.7717\/peerj-cs.43"},{"key":"ref42","first-page":"153","article-title":"Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves","author":"ingram","year":"2012","journal-title":"In Proc USENIX Annual Technical Conference (USENIX ATC)"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2013.6693128"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635904"}],"event":{"name":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE)","location":"Madrid, ES","start":{"date-parts":[[2021,5,22]]},"end":{"date-parts":[[2021,5,30]]}},"container-title":["2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9401807\/9401950\/09402108.pdf?arnumber=9402108","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,30]],"date-time":"2024-08-30T11:48:52Z","timestamp":1725018532000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9402108\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5]]},"references-count":83,"URL":"https:\/\/doi.org\/10.1109\/icse43902.2021.00121","relation":{},"subject":[],"published":{"date-parts":[[2021,5]]}}}