Dear all, we would like to belatedly register two publications. SPARTA had been acknowledged in both. They have already been added to the Spreadsheet of publications. **Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks** Ohm, M., Plate, H., Sykosch, A., Meier, M. (2020, July) 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (p. 23). Springer. Abstract: A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. Even though many approaches for detection and discovery of vulnerable packages exist, no prior work has focused on malicious packages. This paper presents a dataset as well as analysis of 174 malicious software packages that were used in real-world attacks on open source software supply chains and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities. **Towards Detection of Software Supply Chain Attacks by Forensic Artifacts** Ohm, M., Sykosch, A., Meier, M. (2020, August) 15th International Conference on Availability, Reliability and Security. ACM. Abstract: Third-party dependencies may introduce security risks to the software supply chain and hence yield harm to their dependent software. There are many known cases of malicious open source packages posing risks to developers and end users. However, while efforts are made to detect vulnerable open source packages, malicious packages are not yet considered explicitly. In order to tackle this problem we perform an exploratory case study on previously occurred attacks on the software supply chain with respect to observable artifacts created. Based on gained insights, we propose Buildwatch, a framework for dynamic analysis of software and its third-party dependencies. We noticed that malicious packages introduce a significant amount of new artifacts during installation when compared to benign versions of the same package. The paper presents a first analysis of observable artifacts of malicious packages as well as a possible mitigation strategy that might lead to more insight in long term. Best regards, Marc Ohm -- -------------------------------------------------------------------- Marc-Philipp Ohm, M.Sc. | Tel. : +49 228 73-60531 Computer Science 4 | Email : ohm(a)cs.uni-bonn.de University of Bonn | Web : https://net.cs.uni-bonn.de Endenicher Allee 19a | Office: I.015 53115 Bonn, Germany | PGP ID: 0x9156D1B6