As the largest package registry, \textit{Node Package Manager} (NPM) has become the prime target for various supply chain attacks recently and has been flooded with numerous malicious packages, posing significant security risks to end-users. Learning-based methods have recently demonstrated promising performance with good adaptability to various types of attacks. However, they suffer from two main limitations. First, they often utilize metadata features or coarse-grained code features extracted at the package level without considering complex code semantics. Second, the dataset used to train the model often suffers from a lack of variety both in quantity and diversity, thus missing detecting significant types of attacks.

To address these problems, we introduce Maltracker, a learning-based NPM malware tracker based on fine-grained features empowered by enhanced dataset. First, we extract fine-grained features via performing code analysis. Specifically, we construct \textit{call graph} to extract suspicious functions that are reachable to a pre-defined set of sensitive APIs, and then utilize \textit{community detection} algorithm to identify suspicious code gadgets based on \textit{program dependency graph}, from which fine-grained features are then extracted. To address the second limitation, we extend the dataset using advanced \textit{large language models} (LLM) to translate malicious instances from other languages (\eg~C/C++, Python, and Go) into JavaScript. Our evaluation shows that Maltracker can achieve an {improvement of about 12.6% in terms of F1-score at the package level and 31% at the function level compared with the SOTA learning-based methods}. Moreover, the key components of Maltracker~all contribute to the effectiveness of its performance. Finally, Maltracker~has also detected 230 new malicious packages in NPM and received 61 thanks letters from NPM, among which some contain new malicious behaviors that cannot be detected by existing tools.