To address the challenges of detecting obfuscated malicious code in open-source packages—namely, high false-positive rates in static analysis and prohibitive overhead in conventional dynamic analysis—this paper proposes a lightweight dynamic analysis enhancement method. It executes target packages within a containerized sandbox (gVisor) and extends the *package-analysis* tool to capture fine-grained runtime behaviors, including command execution, file access, and network communication. By decoupling analysis from the host system, the approach eliminates associated security risks and significantly reduces resource consumption. Furthermore, semantic modeling of behavioral patterns improves detection sensitivity to obfuscated payloads, achieving a 32.7% reduction in false positives and a 28.4% increase in true-positive rate. The core innovation lies in the synergistic integration of reinforced behavioral monitoring with a lightweight containerized sandbox, yielding a dynamic malware detection framework for open-source packages that is secure, efficient, and highly accurate.

The increasingly sophisticated environment in which attackers operate makes software security an even greater challenge in open-source projects, where malicious packages are prevalent. Static analysis tools, such as Malcontent, are highly useful but are often incapable of dealing with obfuscated malware. Such situations lead to an unreasonably high rate of false positives. This paper highlights that dynamic analysis, rather than static analysis, provides greater insight but is also more resource-intensive for understanding software behaviour during execution. In this study, we enhance a dynamic analysis tool, package-analysis, to capture key runtime behaviours, including commands executed, files accessed, and network communications. This modification enables the use of container sandboxing technologies, such as gVisor, to analyse potentially malicious packages without significantly compromising the host system.