Security researchers at Apiiro have just raised the stakes in the battle against supply chain attacks. They’ve launched two new open-source tools aimed at detecting and blocking malicious code before it makes its way into software projects—a proactive move in a world where code-based threats are becoming increasingly stealthy and sophisticated.
With supply chain attacks on the rise, these free tools could be a game-changer for developers and cybersecurity teams alike. Here’s how they work, why they matter, and what they could mean for the future of secure software development.
A Two-Pronged Defense Against Malicious Code
At the core of Apiiro’s new release are two tools: a comprehensive ruleset for Semgrep and Opengrep, and a GitHub-integrated scanner called PRevent. Both are designed to catch malicious code before it gets merged into production.
Let’s break that down:
- Semgrep and Opengrep Rulesets: These are pattern detection tools that help identify code behaviors often associated with malware.
- PRevent: A real-time GitHub scanner that watches for suspicious activity in pull requests (PRs) before any code gets merged.
Matan Giladi, a security researcher at Apiiro, claims these tools keep false positives low while maintaining high accuracy rates—making them practical for real-world applications where efficiency matters.
How Accurate Are These Tools?
When it comes to stopping threats, accuracy is everything. According to Apiiro’s internal tests:
- The detection accuracy for PyPI packages is 94.3%—a strong performance for Python environments.
- For npm packages, which are typically used for JavaScript projects, the accuracy is slightly lower but still impressive at 88.4%.
- PRevent flags malicious pull requests correctly 91.5% of the time.
These are solid numbers for an open-source project, especially considering the typical trade-off between catching threats and avoiding false alarms.
Spotting the Bad Apples: How the Detection Works
Apiiro’s detection strategy revolves around identifying what they call “code anti-patterns”—these are behaviors that rarely show up in legitimate code but often appear in malware. The focus is on static analysis, meaning the code is scanned without executing it, keeping the system secure from accidental infections.
Here’s what the system looks for:
- Obfuscation Techniques: Encoding, nested transformations, and runtime changes that mask the true purpose of the code.
- Suspicious Functions: Calls to
exec()oreval(), which can execute arbitrary code—a hallmark of many malicious scripts. - External Payloads: Code that tries to download and run files from unknown servers.
- Data Exfiltration: Attempts to send sensitive user information to external locations.
These red flags aren’t always definitive proof of malicious intent, but they are strong indicators that something’s off.
Integrating the Tools Into Your Workflow
One of the standout features of Apiiro’s solution is how seamlessly it integrates into existing workflows. Developers can plug the ruleset directly into their CI/CD pipelines for automated scanning. This means every push or pull request can be checked automatically, without slowing down the development process.
Key benefits:
- Automated scans for npm and PyPI packages.
- Customizable rules for different platforms using Semgrep or Opengrep.
- Real-time alerts for pull requests flagged by PRevent.
And for extra security, PRevent can be configured to:
- Block suspicious pull requests until a reviewer signs off.
- Add comments on flagged code so developers are immediately aware of potential issues.
The Limitations (And What’s Coming Next)
No tool is perfect, and Apiiro’s offerings have their limitations:
- They can’t detect malware hidden in compiled binaries.
- Direct scanning of npm and PyPI packages isn’t yet supported.
However, Apiiro has already hinted at future updates, including:
- Deep code analysis for catching more sophisticated threats.
- AI-assisted scans to improve detection rates and reduce false positives.
If these features roll out as planned, Apiiro’s tools could become a major player in the fight against software supply chain attacks.
Where to Get These Tools
Both the malicious code detection ruleset and PRevent are available for free on GitHub. Detailed instructions for installation and usage are provided, making it easy for developers and security professionals to get started.
One caveat: As of now, these tools haven’t been independently tested by platforms like BleepingComputer. So, while the promise is high, users should proceed with a mix of optimism and caution.
