Supply Chain Monitor: Automated Detection of Package Compromises
Summary
Supply Chain Monitor is a powerful tool by Elastic designed to automatically detect supply chain compromises in popular PyPI and npm packages. It polls registries for new releases, diffs them against predecessors, and uses an LLM via Cursor Agent CLI to classify changes as benign or malicious. Malicious findings trigger immediate Slack alerts, enhancing security for your software dependencies.
Repository Info
Tags
Click on any tag to explore related repositories
Introduction
The Supply Chain Monitor by Elastic offers an automated solution for safeguarding your software dependencies against supply chain attacks. This Python-based tool continuously monitors the top PyPI and npm packages for new releases. When a new version is detected, it performs a detailed diff against the previous release and leverages an LLM (via Cursor Agent CLI) to analyze the changes. The LLM is specifically prompted to identify suspicious patterns, classifying diffs as either benign or malicious. If a malicious change is identified, the system automatically triggers a Slack alert, providing early warning of potential compromises.
The monitor is designed to look for various indicators of compromise, including obfuscated code, unexpected network calls, file system writes to sensitive locations, process spawning, credential exfiltration, and typosquatting.
Installation
To get started with Supply Chain Monitor, you'll need Python 3.9+ and the Cursor Agent CLI.
Prerequisites
- Python 3.9+: Install runtime dependencies using
pip install -r requirements.txt. Therequirements.txtfile is located in the repository. - Cursor Agent CLI: This is the standalone
agentbinary, not the IDE.
Installing Cursor Agent CLI
Windows (PowerShell):
irm 'https://cursor.com/install?win32=true' | iex
macOS / Linux:
curl https://cursor.com/install -fsS | bash
Verify your installation with:
agent --version
You must also authenticate with Cursor using agent login or by setting the CURSOR_API_KEY environment variable.
Slack Configuration
For receiving alerts, configure Slack by placing your bot token in etc/slack.json:
{
"url": "https://hooks.slack.com/services/...",
"bot_token": "xoxb-...",
"channel": "C01XXXXXXXX"
}
Ensure your bot has chat:write scope on the target channel, and channel is set to the Slack channel ID where alerts should be posted.
Examples
The monitor.py script is the main orchestrator. Here are some quick start commands:
- One-shot analysis: Analyze releases from the last approximately 10 minutes, then exit.
python monitor.py --once - Continuous monitoring: Monitor the top 1000 packages from both ecosystems, polling every 5 minutes.
python monitor.py --top 1000 --interval 300 - Production setup: Monitor the top 15000 packages, polling every 5 minutes, with Slack alerts enabled.
python monitor.py --top 15000 --interval 300 --slack - npm only: Monitor the top 5000 npm packages.
python monitor.py --no-pypi --npm-top 5000 - PyPI only: Monitor PyPI packages exclusively.
python monitor.py --no-npm
Why Use It
Supply Chain Monitor provides crucial benefits for maintaining the security of your software projects:
- Proactive Threat Detection: It continuously monitors popular package registries, identifying potential compromises before they can impact your systems.
- LLM-Powered Analysis: By leveraging an LLM, the tool can intelligently analyze code differences, detecting sophisticated obfuscation, malicious network calls, and other advanced attack techniques that might evade traditional static analysis.
- Real-time Alerts: Immediate Slack notifications for malicious findings enable rapid response to security incidents.
- Broad Coverage: Monitors both PyPI and npm, covering a vast array of open-source dependencies.
- Lightweight Operation: Designed to be efficient, making only a few API calls per poll interval and per new release, minimizing overhead.
Links
- GitHub Repository: https://github.com/elastic/supply-chain-monitor