Pohl, TimoOhm, MarcBoes, FelixMeier, MichaelWendzel, SteffenWressnegger, ChristianHartmann, LauraFreiling, FelixArmknecht, FrederikReinfelder, Lena2024-04-192024-04-192024978-3-88579-739-5https://dl.gi.de/handle/20.500.12116/43955Malicious software packages are often used in software supply chain attacks. Detecting these packages is a top priority, and there have been many academic and commercial approaches developed for this purpose. In the event of an attack, it is essential to have resilience against malicious code. To address this issue, we introduce a runtime protection for Node.js that automatically limits the capabilities of packages to a minimum level. The implementation and evaluation of the detection and enforcement of necessary capabilities at runtime was conducted against known malicious attacks. Our approach successfully prevented 90 % of historical attacks with a median install-time overhead of less than 0.6 seconds and a median runtime overhead of less than 0.2 seconds.enSoftware Supply ChainPolicy EnforcementAbstract Syntax TreesText/Conference Paper10.18420/sicherheit2024_0151617-5468