Software ecosystems built around programming languages have greatly
facilitated software development. At the same time, their security has
increasingly been acknowledged as a problem. To this end, the paper examines
the previously overlooked longitudinal aspects of software ecosystem security,
focusing on malware uploaded to six popular programming language ecosystems.
The dataset examined is based on the new Open Source Vulnerabilities (OSV)
database. According to the results, records about detected malware uploads in
the database have recently surpassed those addressing vulnerabilities in
packages distributed in the ecosystems. In the early 2025 even up to 80% of all
entries in the OSV have been about malware. Regarding time series analysis of
malware frequencies and their shares to all database entries, good predictions
are available already by relatively simple autoregressive models using the
numbers of ecosystems, security advisories, and media and other articles as
predictors. With these results and the accompanying discussion, the paper
improves and advances the understanding of the thus far overlooked longitudinal
aspects of ecosystems and malware.

Cet article explore les excursions dans le temps et leurs implications.

Télécharger PDF: