🤖 AI Summary
Existing approaches to detecting malicious NPM packages struggle to identify obfuscated samples due to their neglect of JavaScript object semantics and insufficient integration of static and dynamic analysis. This work proposes a novel detection framework that combines object-sensitive behavioral graphs with multi-agent reasoning powered by large language models. The framework employs static analysis to extract security-relevant code slices and inject evidential annotations, which are then independently assessed by local agents and collectively adjudicated by a global agent. For ambiguous cases, it dynamically selects either sandbox execution or NPM semantic augmentation for reanalysis and precise malicious fragment localization. By incorporating self-consistency aggregation and a synergistic static-dynamic mechanism, the method achieves an F1-score of 98.1%, outperforming state-of-the-art techniques by 3.5%–52.6%, and has successfully identified 597 previously unknown malicious packages, all confirmed and removed by the NPM registry.
📝 Abstract
Open source software is vulnerable to supply-chain attacks through transitive dependencies, especially malicious code injected into NPM packages. Existing detectors often inadequately model obfuscated behavior, overlook JavaScript's object-centric features, poorly coordinate static and dynamic analysis, and lose semantic information during behavior abstraction. We propose ProfMalPlus, a malicious NPM package detector combining object-sensitive behavior graphs with coordinated LLM reasoning over annotated code slices. It identifies installation commands and entry files, then constructs graphs capturing sensitive APIs, third-party calls, and unresolved calls. From these graphs, ProfMalPlus extracts security-relevant slices and adds inline static analysis evidence. Local judge agents independently assess each slice. Self-consistency consolidates repeated judgements to reduce LLM variance, while a global judge synthesizes their reports into an entry-level verdict. For undetermined cases, a router selects either third-party enrichment, which adds registry derived module and method semantics, or dynamic augmentation, which executes the package in a sandbox to resolve runtime dependent behavior. The enriched evidence is fed back for reassessment. Finally, a localization agent reports malicious code snippets with explanations. ProfMalPlus achieves a 98.1% F1-score, outperforming state-of-the-art detectors by 3.5% to 52.6%. It also identified 597 previously unknown malicious packages, all confirmed and removed from NPM.