ArXivCSExplorer
☆☆Bookmarks🏆RSSHow to UseFAQ
Built with and by Teycir Ben Soltane•
How to Use•FAQ•GitHub•arXiv.org•
Share:

~ similar to 2606.14036· 20 results

cs.CRRecentApr 19, 2026

Original Sin of npm: A Study on Vulnerability Propagation in JavaScript Dependency Networks

Michael Robinson, Sajal Halder, Muhammad Ejaz Ahmed, Muhammad Ikram +2 more

The paper analyzes a large dataset of JavaScript packages to demonstrate that a small number of vulnerable dependencies can propagate vulnerabilities across a disproportionately large number of packag…

View →
cs.CRcs.AIcs.SERecentMay 5, 2026

Cryptographic Registry Provenance: Structural Defense Against Dependency Confusion in AI Package Ecosystems

Alan L. McCann

The paper proposes a comprehensive cryptographic distribution provenance system to structurally defend against dependency confusion attacks in software package ecosystems.

View →
cs.CRRecentMar 17, 2026

SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Chain Attacks

Zhuoran Tan, Wenbo Guo, Taylor Brierley, Jiewen Luo +2 more

The paper introduces SynthChain, a comprehensive, multi-source synthetic testbed and dataset that demonstrates that detecting advanced software supply chain attacks requires fusing evidence from multi…

View →
cs.SEcs.CRRecentMar 25, 2026

Software Supply Chain Smells: Lightweight Analysis for Secure Dependency Management

Larissa Schmid, Diogo Gaspar, Raphina Liu, Sofia Bobadilla +2 more

The paper introduces 'software supply chain smells,' structural indicators of security risks in third-party dependencies, and presents Dirty-Waters, a tool that detects these smells, finding that diff…

View →
cs.CRRecentMay 28, 2026

S3C2 Summit 2025-09: Industry Secure Supply Chain Summit

Md Atiqur Rahman, Yasemin Acar, Michel Cucker, William Enck +4 more

This report summarizes the key takeaways from the S3C2 Summit 2025-09, a gathering of industry practitioners focused on identifying best practices and challenges in securing modern software supply cha…

View →
cs.SEcs.CRcs.LGRecentApr 4, 2026

Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs

Laura Baird, Armin Moin

The paper proposes a graph-learning approach to predict multi-vulnerability attack chains within software supply chains, achieving high accuracy on both component classification and cascade prediction…

View →
cs.SEcs.CRRecentApr 15, 2026

Analysis of Commit Signing on Github

Abubakar Sadiq Shittu, John Sadik, Farzin Gholamrezae, Scott Ruoti

This study provides an ecosystem-scale measurement of commit signing on GitHub, finding that current signing adoption rates are misleading and that developers struggle to maintain consistent, long-ter…

View →
cs.CRcs.AIcs.SERecentApr 22, 2026

Taint-Style Vulnerability Detection and Confirmation for Node.js Packages Using LLM Agent Reasoning

Ronghao Ni, Mihai Christodorescu, Limin Jia

The paper introduces LLMVD.js, a multi-stage LLM agent pipeline that effectively detects and confirms taint-style vulnerabilities in Node.js packages, achieving significantly higher confirmation rates…

View →
cs.SEcs.CRRecentJun 1, 2026

Poking Around in the Dark: Why a Shared Understanding of Components Matters

Felix Reichmann, Wolfgang Krane, Alena Naiakshina, Martin Johns +1 more

The paper argues that current Software Bills of Materials (SBOMs) are fundamentally flawed due to a lack of shared understanding regarding what constitutes a 'component,' demonstrating that existing t…

View →
cs.CRRecentApr 9, 2026

Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain

Hanzhi Liu, Chaofan Shou, Hongbo Wen, Yanju Chen +2 more

This paper systematically analyzes the threat posed by malicious third-party API routers in the LLM supply chain, finding that a significant number of routers actively perform payload injection, crede…

View →
cs.CRRecentMay 10, 2026

Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills

Yiyong Liu, Chia-Yi Hsu, Chun-Ying Huang, Michael Backes +2 more

This paper introduces Dependency Steering, a novel attack paradigm demonstrating that malicious agent skills can actively bias LLM coding agents to use attacker-controlled packages, posing a significa…

View →
cs.CRcs.SERecentMar 19, 2026

Cross-Ecosystem Vulnerability Analysis for Python Applications

Georgios Alexopoulos, Nikolaos Alexopoulos, Thodoris Sotiropoulos, Charalambos Mitropoulos +2 more

The paper introduces a provenance-aware vulnerability analysis approach that accurately identifies cross-ecosystem vulnerabilities in Python applications by resolving vendored native libraries to spec…

View →
cs.CRcs.SEeess.SPRecentApr 11, 2026

Organizational Security Resource Estimation via Vulnerability Queueing

Abdullah Y. Etcibasi, Zachary Dobos, C. Emre Koksal

The paper proposes a dynamic queueing framework that estimates an organization's cyber resources and attack surface dynamics by analyzing the timestamps of vulnerabilities and fixes, achieving high ac…

View →
cs.CRRecentApr 1, 2026

Obfuscating Code Vulnerabilities against Static Analysis in JavaScript Code

Francesco Pagano, Lorenzo Pisu, Leonardo Regano, Davide Maiorca +2 more

This paper empirically demonstrates that current Static Application Security Testing (SAST) tools are fundamentally unreliable against common JavaScript obfuscation techniques, showing that obfuscatio…

View →
cs.CRRecentMar 23, 2026

Semi-Automated Threat Modeling of Cloud-Based Systems Through Extracting Software Architecture from Configuration and Network Flow

Nicholas Pecka, Lotfi Ben Othmane, Bharat Bhargava, Renee Bryce

The paper proposes a novel semi-automated method to perform continuous threat modeling by inferring the actual system architecture from combined static configuration and dynamic network flow data, sig…

View →
cs.CRRecentMay 26, 2026

The Fault in Our Drafts: Vulnerabilities in RPKI Specification and Software

Oliver Jacobsen, Tobias Kirsch, Haya Schulmann, Niklas Vogel +1 more

This paper analyzes RPKI specifications, demonstrating that vague or conflicting requirements in dozens of RFCs cause systemic vulnerabilities in real-world implementations, leading to 61 undocumented…

View →
cs.CRRecentMay 20, 2026

VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers

Pengyu Sun, Qishu Jin, Enhao Huang, Zifeng Kang +3 more

VIPER-MCP is a novel, end-to-end automated framework that detects and dynamically confirms the exploitability of taint-style vulnerabilities in Model Context Protocol (MCP) servers, achieving high-fid…

View →
cs.SEcs.CRRecentMar 27, 2026

A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits

Zirui Chen, Qi Zhan, Jiayuan Zhou, Xing Hu +2 more

This paper conducts a large-scale empirical study demonstrating that Java library exploits can accurately identify affected versions, achieving high recall and precision, and proposes strategies for e…

View →
cs.CRcs.CYcs.DCRecentMay 15, 2026

From Backup Restoration to Minimum Viable Factory Recovery: A Systematization of Ransomware Recovery in Manufacturing Systems

Chun Yin Chiu

The paper reframes manufacturing ransomware recovery from a simple backup restoration task to a complex critical-infrastructure continuity problem, proposing Minimum Viable Factory Recovery (MVF Recov…

View →
cs.CRcs.AIRecentApr 3, 2026

Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis

Zhiyuan Li, Jingzheng Wu, Xiang Ling, Xing Cui +1 more

This paper provides the first comprehensive security analysis of the Agent Skills framework, identifying severe structural vulnerabilities that require fundamental architectural changes rather than si…

View →