Identifying Malicious OSS Across Ecosystems
CVE/FIRST VulnCon 2025 · Main Stage
This talk, delivered by Justin Smith of Microsoft's Open Source Security Team at VulnCon, shifts focus from traditional vulnerabilities to the pervasive and growing threat of **malicious open-source software (OSS)** across various package ecosystems. Smith highlights that while VulnCon often centers on CVEs and known vulnerabilities, a distinct and equally critical problem lies in outright malware masquerading as legitimate packages. The presentation outlines the motivations behind OSS malware, the limitations of traditional detection methods when scaled across multiple platforms, and introduces a novel research project named "OSsimilation" developed at Microsoft to address this challenge.
AI review
Smith delivers a competent, well-structured overview of malicious OSS detection that sits squarely in the threat-intel/case-study lane. The OSsimilation project is real work with real outputs — 47,000 packages removed from npm is not nothing — and the metadata-first, cross-ecosystem framing is a legitimate contribution to a problem space that deserves more systematic attention. The interactive 'game' is a nice pedagogical device. But the talk stops well short of the technical depth you'd want from a conference billed around vulnerabilities. The methodology is described at a conceptual level…