Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google

The Google and OpenSSF Package Analysis project aims to reduce security risks created by developers' crazy package-updating schedules.

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. 

The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation's Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it.