SoK: Practical Detection of Software Supply Chain Attacks

Detecting malicious packages used in software supply chain attacks has become increasingly important in recent years. Researchers are constantly developing and evaluating different tools and approaches. However, a comparison of all scientific publications on this topic does not yet exist. This paper examines existing publications and points out their characteristics, advantages and limitations. We identified and analyzed 20 publications that deal with malicious package detection. For those, we summarize the key points of each approach, present the experiments performed, discuss the features and limitations of each, and finally compare them to each other. We show that some tools and approaches are outdated, not fully evaluated, or not feasible for production use. Promising approaches for automatic detection of attacks in the software supply chain are outlined as well.