Serverless computing has rapidly emerged as a prominent cloud paradigm, enabling developers to focus solely on application logic without the burden of managing servers or underlying infrastructure. Public serverless repositories have become key to accelerating the development of serverless applications. However, their growing popularity makes them attractive targets for adversaries. Despite this, the security posture of these repositories remains largely unexplored, exposing developers and organizations to potential risks. In this paper, we present the first comprehensive analysis of the security landscape of serverless components hosted in public repositories. We analyse 2,758 serverless components from five widely used public repositories popular among developers and enterprises, and 125,936 Infrastructure as Code (IaC) templates across three widely used IaC frameworks. Our analysis reveals systemic vulnerabilities including outdated software packages, misuse of sensitive parameters, exploitable deployment configurations, susceptibility to typo-squatting attacks and opportunities to embed malicious behaviour within compressed serverless components. Finally, we provide practical recommendations to mitigate these threats.

翻译：无服务器计算已迅速崛起为一种重要的云范式，使开发者能够专注于应用逻辑，而无需承担管理服务器或底层基础设施的负担。公共无服务器仓库已成为加速无服务器应用开发的关键。然而，其日益增长的人气使其成为攻击者极具吸引力的目标。尽管如此，这些仓库的安全状况在很大程度上仍未得到充分探究，使开发者和组织暴露于潜在风险之中。本文首次对托管于公共仓库中的无服务器组件的安全态势进行了全面分析。我们分析了来自开发者与企业广泛使用的五个公共仓库的2,758个无服务器组件，以及跨三个广泛使用的IaC框架的125,936个基础设施即代码模板。我们的分析揭示了系统性漏洞，包括过时的软件包、敏感参数的误用、可利用的部署配置、易受域名仿冒攻击的弱点，以及在压缩的无服务器组件中嵌入恶意行为的机会。最后，我们提供了缓解这些威胁的实用建议。