A review of open-source software supply chain attacks

Here's a preprint paper fromMarc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier looking atattacks on language-specific repositories. "Recent years saw anumber of supply chain attacks that leverage the increasing use of opensource during software development, which is facilitated by dependencymanagers that automatically resolve, download and install hundreds of opensource packages throughout the software life cycle. This paper presents adataset of 174 malicious software packages that were used in real-worldattacks on open source software supply chains, and which were distributedvia the popular package repositories npm, PyPI, and RubyGems. Thosepackages, dating from November 2015 to November 2019, were manuallycollected and analyzed. The paper also presents two general attack trees toprovide a structured overview about techniques to inject malicious codeinto the dependency tree of downstream users, and to execute such code atdifferent times and under different conditions."