Once again, the ElevenPaths Innovation and Lab team is taking part in the Black Hat USA 2021 Arsenal in Las Vegas to share a new open-source tool with the community. In the context of this year’s pandemic, Black Hat will organise a hybrid event with the possibility to participate on-site and online, or in a fully online mode. It will take place on the 4th or 5th of August, where part of our team, represented by Carlos Ávila, Diego Espitia, Claudio Caracciolo and Franco Piergallini Guida, will be presenting an internal development that will be released publicly in those days, an open-source tool that we have called PackageDNA.
As malware campaigns embedded in software development packages are steadily increasing, we have identified the need to automate the process of analysing third party packages (pypi, npm, gem, godev, etc.) that we use on a daily basis in our developments without questioning how or what they do internally.
PackageDNA was born to fill this need, giving developers and researchers the ability to do a deep analysis of the packages they use in an automated and massive way. Among its functionalities, it tries to obtain a vast enumeration of the internal features and metadata of the packages, as well as to perform a series of automated analysis such as the search for internal CVEs, or files with malware, but also performs analysis related to typosquatting of the packages and the history of the package developer in the analysed repositories, among other features.
The tool is open-source, free and modular, and has the ability to present the results in different formats, in a visually friendly and centralised way.
As mentioned before, while the tool is being used by our internal team, it will be available for public download after the presentation at the Arsenal so that everyone can enjoy it and contribute to the project openly.