Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News GitLab Open-Sources Package Hunter, Falco-Based Tool to Detect Malicious Code

GitLab Open-Sources Package Hunter, Falco-Based Tool to Detect Malicious Code

This item in japanese

GitLab has released a new open-source tool, Package Hunter, aimed to detect malicious code by running your project dependencies inside a sandbox. Package Hunter leverages Falco to detect unexpected application behaviour at runtime.

Package Hunter is a tool to analyze a program's dependencies for malicious code and other unexpected behavior by installing the dependencies in a sandbox environment and monitoring system calls executed during the installation. Any suspicious system calls are reported to the user for further examination.

For example, running Package Hunter you could find out that a package attempted to open a network connection on install. This gives you a chance to verify the IP address the package is trying to connect to is legitimate. If that check did not give any hints, you could attempt to replace the version you are using with a different version of the package, e.g. by downloading it from a different source. This would protect, for example, in case a given legitimate version was compromised. As a last step, you could engage in analyzing the reported behaviour by inspecting the code and, possibly, reporting the malicious package.

GitLab has been testing Package Hunter internally since November 2020 and made it straightforward to integrate in their continuous integration pipeline thanks to a specific template. The tool can be used though in any environment supporting Falco 0.23.0, Docker v20.10+, and Node v12.21+. A Vagrantfile is also available to make it easier to install and try it out on your machine.

Package Hunter provides a service running by default on port 3000 that you can control using the Package Hunter CLI. To analyze a project, you create a tar archive of your project and send it to the server. If you are using Docker, you can run the following command to accomplish that:

docker run --rm \
  -v "${PWD}:/usr/src/app" \
  --env "DEBUG=pkgs*" \
  --env "HTR_user=someuser" --env "HTR_pass=somepass" \ analyze my_project.tgz

GitLab Package Hunter is not the only tool that developers can use to try and protect against malicious code in their dependencies. Both GitLab and GitHub indeed provide support for dependency analysis and code scanning. Package Hunter, though, moves in a slightly different direction by trying to detect malicious behaviour at runtime.

Rate this Article