{"id":"https://openalex.org/W4385080288","doi":"https://doi.org/10.1109/sp46215.2023.10179332","title":"Investigating Package Related Security Threats in Software Registries","display_name":"Investigating Package Related Security Threats in Software Registries","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385080288","doi":"https://doi.org/10.1109/sp46215.2023.10179332"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179332","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179332","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101152479","display_name":"Yacong Gu","orcid":"https://orcid.org/0000-0003-2221-5689"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Yacong Gu","raw_affiliation_strings":["QI-ANXIN Technology Research Institute"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100414046","display_name":"Lingyun Ying","orcid":"https://orcid.org/0000-0001-7445-9103"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lingyun Ying","raw_affiliation_strings":["QI-ANXIN Technology Research Institute"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102537304","display_name":"Yingyuan Pu","orcid":null},"institutions":[{"id":"https://openalex.org/I59028903","display_name":"Ocean University of China","ror":"https://ror.org/04rdtx186","country_code":"CN","type":"education","lineage":["https://openalex.org/I59028903"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yingyuan Pu","raw_affiliation_strings":["QI-ANXIN Technology Research Institute","Ocean University of China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]},{"raw_affiliation_string":"Ocean University of China","institution_ids":["https://openalex.org/I59028903"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Xiao Hu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiao Hu","raw_affiliation_strings":["QI-ANXIN Technology Research Institute"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5086425732","display_name":"Huajun Chai","orcid":"https://orcid.org/0000-0001-8067-9129"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Huajun Chai","raw_affiliation_strings":["QI-ANXIN Technology Research Institute"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101688784","display_name":"Ruimin Wang","orcid":"https://orcid.org/0009-0007-8349-0568"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ruimin Wang","raw_affiliation_strings":["QI-ANXIN Technology Research Institute","Southeast University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"QI-ANXIN Technology Research Institute","institution_ids":[]},{"raw_affiliation_string":"Southeast University","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100622644","display_name":"Xing Gao","orcid":"https://orcid.org/0000-0002-0401-5125"},"institutions":[{"id":"https://openalex.org/I86501945","display_name":"University of Delaware","ror":"https://ror.org/01sbq1a82","country_code":"US","type":"education","lineage":["https://openalex.org/I86501945"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xing Gao","raw_affiliation_strings":["University of Delaware"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Delaware","institution_ids":["https://openalex.org/I86501945"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5067799841","display_name":"Haixin Duan","orcid":"https://orcid.org/0000-0003-0083-733X"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haixin Duan","raw_affiliation_strings":["Tsinghua University","Tsinghua University-QI-ANXIN Group JCNS"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Tsinghua University","institution_ids":["https://openalex.org/I99065089"]},{"raw_affiliation_string":"Tsinghua University-QI-ANXIN Group JCNS","institution_ids":["https://openalex.org/I99065089"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5101152479"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.2548,"has_fulltext":false,"cited_by_count":17,"citation_normalized_percentile":{"value":0.9318646,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1578","last_page":"1595"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9955000281333923,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7244762182235718},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.604755699634552},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.599931538105011},{"id":"https://openalex.org/keywords/reuse","display_name":"Reuse","score":0.5532941222190857},{"id":"https://openalex.org/keywords/code-reuse","display_name":"Code reuse","score":0.5242509841918945},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5191754102706909},{"id":"https://openalex.org/keywords/software-package","display_name":"Software package","score":0.46693721413612366},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4588371813297272},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.4261644184589386},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.34596148133277893},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.24630862474441528},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.100677490234375},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.09854140877723694},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.09257379174232483}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7244762182235718},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.604755699634552},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.599931538105011},{"id":"https://openalex.org/C206588197","wikidata":"https://www.wikidata.org/wiki/Q846574","display_name":"Reuse","level":2,"score":0.5532941222190857},{"id":"https://openalex.org/C2778583558","wikidata":"https://www.wikidata.org/wiki/Q771245","display_name":"Code reuse","level":3,"score":0.5242509841918945},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5191754102706909},{"id":"https://openalex.org/C3020440742","wikidata":"https://www.wikidata.org/wiki/Q1176855","display_name":"Software package","level":3,"score":0.46693721413612366},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4588371813297272},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.4261644184589386},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.34596148133277893},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.24630862474441528},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.100677490234375},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.09854140877723694},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.09257379174232483},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C548081761","wikidata":"https://www.wikidata.org/wiki/Q180388","display_name":"Waste management","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46215.2023.10179332","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179332","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Life in Land","score":0.4699999988079071,"id":"https://metadata.un.org/sdg/15"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":48,"referenced_works":["https://openalex.org/W57130263","https://openalex.org/W587329788","https://openalex.org/W1001914638","https://openalex.org/W1546563748","https://openalex.org/W1600184236","https://openalex.org/W1637101047","https://openalex.org/W1647671624","https://openalex.org/W1984816986","https://openalex.org/W2047794235","https://openalex.org/W2073342447","https://openalex.org/W2148542607","https://openalex.org/W2165109377","https://openalex.org/W2477311979","https://openalex.org/W2535407856","https://openalex.org/W2557089785","https://openalex.org/W2591793539","https://openalex.org/W2751085911","https://openalex.org/W2789570312","https://openalex.org/W2805407300","https://openalex.org/W2806253293","https://openalex.org/W2889480272","https://openalex.org/W2902942389","https://openalex.org/W2913770937","https://openalex.org/W2914845368","https://openalex.org/W2915997584","https://openalex.org/W2929264149","https://openalex.org/W2946898425","https://openalex.org/W2963559715","https://openalex.org/W2963748706","https://openalex.org/W3046453918","https://openalex.org/W3094525800","https://openalex.org/W3097101678","https://openalex.org/W3138230581","https://openalex.org/W3162570939","https://openalex.org/W3184379011","https://openalex.org/W3194474958","https://openalex.org/W3195513561","https://openalex.org/W4226334994","https://openalex.org/W4226410005","https://openalex.org/W4298869031","https://openalex.org/W6636915900","https://openalex.org/W6743874582","https://openalex.org/W6752006691","https://openalex.org/W6754216381","https://openalex.org/W6759246942","https://openalex.org/W6763076549","https://openalex.org/W6796290110","https://openalex.org/W6799855602"],"related_works":["https://openalex.org/W2182697532","https://openalex.org/W1517387344","https://openalex.org/W1544062218","https://openalex.org/W142226328","https://openalex.org/W1964111631","https://openalex.org/W185550498","https://openalex.org/W2348203156","https://openalex.org/W2226868092","https://openalex.org/W2164928043","https://openalex.org/W2750943285"],"abstract_inverted_index":{"Package":[0],"registries":[1,135],"host":[2],"reusable":[3],"code":[4,99],"assets,":[5],"allowing":[6],"developers":[7],"to":[8,41,96,112,125,175],"share":[9],"and":[10,34,74,115,136,161,178],"reuse":[11],"packages":[12,144],"easily,":[13],"thus":[14],"accelerating":[15],"the":[16,68,89,172],"software":[17,21,60],"development":[18],"process.":[19],"Current":[20],"registry":[22,61,72,75,119],"ecosystems":[23],"involve":[24],"multiple":[25,155],"independent":[26],"stakeholders":[27,177],"for":[28,88],"package":[29,148],"management.":[30],"Unfortunately,":[31],"abnormal":[32],"behavior":[33],"information":[35],"inconsistency":[36],"inevitably":[37],"exist,":[38],"enabling":[39],"adversaries":[40],"conduct":[42,126],"malicious":[43,98],"activities":[44],"with":[45,83],"minimal":[46],"effort":[47],"covertly.":[48],"In":[49],"this":[50],"paper,":[51],"we":[52,77,106],"investigate":[53],"potential":[54,80],"security":[55,104],"vulnerabilities":[56,117,174],"in":[57,118,158],"six":[58,84,134],"popular":[59,138],"ecosystems.":[62,120],"Through":[63],"a":[64,127],"systematic":[65],"analysis":[66,109,152],"of":[67,85],"official":[69],"registries,":[70],"corresponding":[71],"mirrors":[73],"clients,":[76],"identify":[78],"twelve":[79],"attack":[81],"vectors,":[82],"them":[86],"disclosed":[87],"first":[90],"time,":[91],"that":[92,154],"can":[93],"be":[94],"exploited":[95,165],"distribute":[97],"stealthily.":[100],"Based":[101],"on":[102],"these":[103],"issues,":[105],"build":[107],"an":[108],"framework,":[110],"RScouter,":[111],"continuously":[113],"monitor":[114],"uncover":[116],"We":[121,168],"then":[122],"utilize":[123],"RScouter":[124],"measurement":[128],"study":[129],"spanning":[130],"one":[131],"year":[132],"over":[133,141],"seventeen":[137],"mirrors,":[139],"scrutinizing":[140],"4":[142],"million":[143,147],"across":[145],"53":[146],"versions.":[149],"Our":[150],"quantitative":[151],"demonstrates":[153],"threats":[156],"exist":[157],"every":[159],"ecosystem,":[160],"some":[162],"have":[163,169],"been":[164],"by":[166],"attackers.":[167],"duly":[170],"reported":[171],"identified":[173],"related":[176],"received":[179],"positive":[180],"responses.":[181]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":10},{"year":2024,"cited_by_count":5},{"year":2023,"cited_by_count":1}],"updated_date":"2026-04-28T14:05:53.105641","created_date":"2025-10-10T00:00:00"}