PyPI, the official package registry for Python, has become the major accessory for adversaries to distribute malicious packages and undertake open source supply chain attacks. In the recent years, PyPI has seen a recent surge in malicious package uploads. To exclude malicious PyPI packages, it is unrealistic to manually inspect and label the maliciousness of packages given the huge number of new packages uploaded every day. Therefore, malicious PyPI package detection is critical in safeguarding the security of open source software. Existing approaches use static feature extraction and metadata to detect malicious packages. However, the feature extraction relies on the rules predefined by expert. Attackers can also evade the detection according to the rules.In addition, existing approaches only uses partial information from metadata, such as package name and version name, which would hinder the effectiveness result of malicious package detection.

In this paper, we propose EA4MP, a novel approach which integrates deep code behavior features with metadata features, to detect malicious packages on PyPI. Specifically, EA4MP extracts code behavior sequences from all script files, and fine-tunes a BERT model to learn deep semantic features of malicious code. Besides, EA4MP extracts the metadata features from the PKG-INFO based on a group of pre-defined expert rules, and trains a ML model. Finally, EA4MP constructs an ensemble classifier based on the Adaboost algorithm to detect malicious packages. We evaluated EA4MP against VirusTotal, OSSGadget, and Bandit4Mal on a newly-constructed dataset. The experimental results show that EA4MP improves precision by 6.9%-24.6% and recall by 10.5%-18.4%. We also monitored 46,573 software packages uploaded on PyPI between March 28 and April 18, 2024, 119 of which are malicious packages found by EA4MP. We reported these packages to PyPI officials, and 82 of them have been removed.