{"id":"https://openalex.org/W7147412896","doi":"https://doi.org/10.48550/arxiv.2603.27549","title":"Understanding NPM Malicious Package Detection: A Benchmark-Driven Empirical Analysis","display_name":"Understanding NPM Malicious Package Detection: A Benchmark-Driven Empirical Analysis","publication_year":2026,"publication_date":"2026-03-29","ids":{"openalex":"https://openalex.org/W7147412896","doi":"https://doi.org/10.48550/arxiv.2603.27549"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.27549","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.27549","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.27549","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5132583668","display_name":"Wenbo Guo","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Guo, Wenbo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132564469","display_name":"Zhongwen Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Zhongwen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132723472","display_name":"Zhengzi Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Zhengzi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132650131","display_name":"Chengwei Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Chengwei","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123876302","display_name":"Ming Kang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kang, Ming","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104094613","display_name":"Shiwen Song","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Shiwen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132578946","display_name":"Chengyue Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Chengyue","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024278894","display_name":"Yijia Xu","orcid":"https://orcid.org/0000-0003-2843-4225"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Yijia","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132724235","display_name":"Weisong Sun","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sun, Weisong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5132698519","display_name":"Yang Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Yang","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":10,"corresponding_author_ids":["https://openalex.org/A5132583668"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9469000101089478,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9469000101089478,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.01850000023841858,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.007600000128149986,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/evasion","display_name":"Evasion (ethics)","score":0.795799970626831},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.682200014591217},{"id":"https://openalex.org/keywords/ambiguity","display_name":"Ambiguity","score":0.6466000080108643},{"id":"https://openalex.org/keywords/complement","display_name":"Complement (music)","score":0.5231000185012817},{"id":"https://openalex.org/keywords/complementarity","display_name":"Complementarity (molecular biology)","score":0.48750001192092896},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.45969998836517334},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.44209998846054077},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4404999911785126},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.40619999170303345},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4018000066280365}],"concepts":[{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.795799970626831},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7882000207901001},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.682200014591217},{"id":"https://openalex.org/C2780522230","wikidata":"https://www.wikidata.org/wiki/Q1140419","display_name":"Ambiguity","level":2,"score":0.6466000080108643},{"id":"https://openalex.org/C112313634","wikidata":"https://www.wikidata.org/wiki/Q7886648","display_name":"Complement (music)","level":5,"score":0.5231000185012817},{"id":"https://openalex.org/C202269582","wikidata":"https://www.wikidata.org/wiki/Q2644277","display_name":"Complementarity (molecular biology)","level":2,"score":0.48750001192092896},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.45969998836517334},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.44209998846054077},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4404999911785126},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4399000108242035},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.40619999170303345},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4018000066280365},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.37709999084472656},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.3714999854564667},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3684000074863434},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3499000072479248},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.335999995470047},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.32330000400543213},{"id":"https://openalex.org/C774472","wikidata":"https://www.wikidata.org/wiki/Q6760393","display_name":"Margin (machine learning)","level":2,"score":0.3199000060558319},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3122999966144562},{"id":"https://openalex.org/C139807058","wikidata":"https://www.wikidata.org/wiki/Q352374","display_name":"Adaptation (eye)","level":2,"score":0.295199990272522},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.29269999265670776},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.2856999933719635},{"id":"https://openalex.org/C82214349","wikidata":"https://www.wikidata.org/wiki/Q657339","display_name":"Software metric","level":5,"score":0.2842000126838684},{"id":"https://openalex.org/C149810388","wikidata":"https://www.wikidata.org/wiki/Q5374873","display_name":"Emulation","level":2,"score":0.27970001101493835},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.2793999910354614},{"id":"https://openalex.org/C110332635","wikidata":"https://www.wikidata.org/wiki/Q629498","display_name":"Genetic programming","level":2,"score":0.2761000096797943},{"id":"https://openalex.org/C10272871","wikidata":"https://www.wikidata.org/wiki/Q929972","display_name":"Software inspection","level":5,"score":0.2705000042915344},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.2637999951839447},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.26350000500679016},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.2628999948501587},{"id":"https://openalex.org/C94124525","wikidata":"https://www.wikidata.org/wiki/Q912550","display_name":"Categorization","level":2,"score":0.2583000063896179},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.25619998574256897},{"id":"https://openalex.org/C2777303404","wikidata":"https://www.wikidata.org/wiki/Q759757","display_name":"Convergence (economics)","level":2,"score":0.2535000145435333},{"id":"https://openalex.org/C2776036281","wikidata":"https://www.wikidata.org/wiki/Q48769818","display_name":"Constraint (computer-aided design)","level":2,"score":0.2533000111579895}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.27549","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.27549","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.27549","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.27549","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"public-domain","license_id":"https://openalex.org/licenses/public-domain","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.4368555247783661,"display_name":"Life in Land","id":"https://metadata.un.org/sdg/15"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"NPM":[1,35],"ecosystem":[2,161],"has":[3],"become":[4],"a":[5,30,39,133],"primary":[6],"target":[7],"for":[8],"software":[9],"supply":[10],"chain":[11,135],"attacks,":[12],"yet":[13],"existing":[14],"detection":[15,149],"tools":[16,60],"are":[17,94,215],"evaluated":[18],"in":[19,185],"isolation":[20],"on":[21],"incompatible":[22],"datasets,":[23],"making":[24],"cross-tool":[25],"comparison":[26],"unreliable.":[27],"We":[28],"conduct":[29],"benchmark-driven":[31],"empirical":[32],"analysis":[33,86],"of":[34,41,74],"malware":[36,155,176],"detection,":[37],"building":[38],"dataset":[40],"6,420":[42],"malicious":[43,145],"and":[44,53,57,109,142,179,207,212],"7,288":[45],"benign":[46,183],"packages":[47],"annotated":[48],"with":[49,71,115,201],"11":[50],"behavior":[51],"categories":[52],"8":[54,59],"evasion":[55,158],"techniques,":[56],"evaluating":[58],"across":[61],"13":[62],"variants.":[63],"Unlike":[64],"prior":[65],"work,":[66],"we":[67],"complement":[68],"quantitative":[69],"evaluation":[70,213],"source-code":[72],"inspection":[73],"each":[75,99],"tool":[76,100],"to":[77,113,152],"expose":[78],"the":[79,102,118,160],"structural":[80],"mechanisms":[81],"behind":[82],"its":[83],"performance.":[84],"Our":[85,210],"reveals":[87],"five":[88],"key":[89],"findings.":[90],"Tool":[91,188],"precision-recall":[92],"positions":[93],"structurally":[95],"determined":[96],"by":[97,193],"how":[98],"resolves":[101],"ambiguity":[103],"between":[104],"what":[105,110],"code":[106,184],"can":[107],"do":[108],"it":[111],"intends":[112],"do,":[114],"GuardDog":[116],"achieving":[117],"best":[119],"balance":[120],"at":[121],"93.32%":[122],"F1.":[123,209],"A":[124],"single":[125],"API":[126],"call":[127],"carries":[128],"no":[129,157],"directional":[130],"intent,":[131],"but":[132],"behavioral":[134],"such":[136],"as":[137],"collecting":[138],"environment":[139],"variables,":[140],"serializing,":[141],"exfiltrating":[143],"disambiguates":[144],"purpose,":[146],"raising":[147],"SAP_DT":[148],"from":[150,169,182],"3.2%":[151],"79.3%.":[153],"Most":[154],"requires":[156],"because":[159],"lacks":[162],"mandatory":[163],"pre-publication":[164],"scanning.":[165],"ML":[166],"degradation":[167],"stems":[168],"concept":[170,174],"convergence":[171],"rather":[172],"than":[173],"drift:":[175],"became":[177],"simpler":[178],"statistically":[180],"indistinguishable":[181],"feature":[186],"space.":[187],"combination":[189],"effectiveness":[190],"is":[191],"governed":[192],"complementarity":[194],"minus":[195],"false-positive":[196],"introduction,":[197],"not":[198],"paradigm":[199],"diversity,":[200],"strategic":[202],"combinations":[203],"reaching":[204],"96.08%":[205],"accuracy":[206],"95.79%":[208],"benchmark":[211],"framework":[214],"publicly":[216],"available.":[217]},"counts_by_year":[],"updated_date":"2026-04-02T13:53:19.096889","created_date":"2026-04-02T00:00:00"}