Abstract
Open-source software ecosystems have become critical infrastructure for modern software development, yet they remain vulnerable to sophisticated supply chain attacks. This paper presents a comprehensive empirical analysis of supply chain attacks targeting npm, PyPI, and Docker Hub, examining 23 documented campaigns affecting over 2.6 billion weekly downloads. Through systematic analysis of attack vectors including typosquatting, dependency confusion, and maintainer account compromise, we identify recurring patterns and structural vulnerabilities across package registries. Our analysis reveals that 86.1% of detected typosquatted packages contained malware, with cryptocurrency theft emerging as the predominant attack objective. We document the September 2025 npm compromise affecting 18 packages through phishing, the self-propagating Shai-Hulud worm campaign, and persistent XZ Utils backdoor propagation in Docker Hub images. We propose a multilayered defense framework incorporating Software Bill of Materials (SBOM) automation, behavioral package analysis, and enhanced authentication mechanisms. Our findings demonstrate that current registry security measures remain insufficient, with malicious packages persisting for extended periods despite detection capabilities.
Document Type
Paper
Disciplines
Cybersecurity
DOI
10.25776/h5ez-vq70
Publication Date
12-3-2025
Upload File
wf_yes
Included in
Supply Chain Attacks Through Open Source Software: A Comprehensive Analysis of NPM, PyPI, and Docker Hub Vulnerabilities
Open-source software ecosystems have become critical infrastructure for modern software development, yet they remain vulnerable to sophisticated supply chain attacks. This paper presents a comprehensive empirical analysis of supply chain attacks targeting npm, PyPI, and Docker Hub, examining 23 documented campaigns affecting over 2.6 billion weekly downloads. Through systematic analysis of attack vectors including typosquatting, dependency confusion, and maintainer account compromise, we identify recurring patterns and structural vulnerabilities across package registries. Our analysis reveals that 86.1% of detected typosquatted packages contained malware, with cryptocurrency theft emerging as the predominant attack objective. We document the September 2025 npm compromise affecting 18 packages through phishing, the self-propagating Shai-Hulud worm campaign, and persistent XZ Utils backdoor propagation in Docker Hub images. We propose a multilayered defense framework incorporating Software Bill of Materials (SBOM) automation, behavioral package analysis, and enhanced authentication mechanisms. Our findings demonstrate that current registry security measures remain insufficient, with malicious packages persisting for extended periods despite detection capabilities.