Shenao Wang

Shenao Wang

What's Past Is Prologue ✨

😀 About Me

Hi, there! I am Shenao Wang (王申奥). I am currently pursuing my Ph.D. at Huazhong University of Science and Technology (HUST), supervised by Prof. Haoyu Wang, working with folks at Security PRIDE Research Group (Security, Privacy, and Dependability in Emerging Software Systems). Previously, I received my B.Eng. degree at Xidian University, under supervision of Prof. Hui Li in June 2023.

I am interested in the intersection of security, program analysis, and agentic systems. Specifically, I focus on developing impactful, real-world solutions for detecting and defending against vulnerabilities in a wide range of systems.

  • OSS Security: NPM/PyPI Code Poisoning (ASE’23, ASE’24)
  • Endpoint Security: Ransomware (CCS’24), MiniApp Security (ASE’23, ASE’25) & Privacy (SaTS’23, TOSEM’25)
  • Agentic Security: Agentic Supply Chain (ASE’24, TOSEM’25), Agentic Software (ICSE’26), LLM Infra (ASE’25, ICSE’26)

If you would like to reach me, please send an email to shenaowang AT hust.edu.cn

🎉 News

  • 03/2026: One paper working on multi-language static analysis in collaboration AntGroup was accepted by FSE 2026 Industry Track!
  • 10/2025: Two papers working on LLM Infra Security were accepted by ICSE 2026!
  • 08/2025: Our paper working on Cookie Sharing in MiniApps was accepted by ASE’25!
  • 12/2024: Our paper working on MiniApp privacy was accepted by TOSEM!
  • 11/2024: Two papers working on LLM Apps and Supply Chain were accepted by TOSEM 2030 SE Roadmap!
  • 11/2024: We won the third prize in Software Research Prototype System Competition of ChinaSoft 2024.
Older News
  • 08/2024: Two papers working on OSS/LLM supply chain security were accepted by ASE 2024 (Industry Showcase)!
  • 07/2024: Our paper on ransomware detection in industrial environments was accepted by CCS 2024. See you in Salt Lake City!
  • 12/2023: We won the third prize in Software Research Prototype System Competition of ChinaSoft 2023.
  • 08/2023: Our paper on malicious npm/pypi package detection was accepted by ASE 2023 (Industry Challenge Track).
  • 07/2023: Our paper on WeChat AppSecret Leaks was accepted by ASE 2023.
  • 06/2023: I received my B.Eng. degree at Xidian University. :)
  • 05/2023: I was invited to give a presentation at the first Cyber Security Innovation Forum in Wuhan.
  • 09/2022: I became a member of SECURITY PRIDE Research Group.

📝 Publications

(* Equal Contribution)

Preprints

  1. Demystifying and Detecting Agentic Workflow Injection Vulnerabilities in GitHub Actions PDF
    Shenao Wang*, Xinyi Hou*, Zhao Liu, Yanjie Zhao, Xiao Cheng, Quanchen Zou, Xiangzheng Zhang, Haoyu Wang
  2. "Elementary, My Dear Watson." Detecting Malicious Skills via Neuro-Symbolic Reasoning across Heterogeneous Artifacts PDF
    Shenao Wang, Junjie He, Yanjie Zhao, Yayi Wang, Kan Yu, Haoyu Wang

Selected Publications

2026
  1. [C18] Demystifying LLM Supply Chain Vulnerabilities in the Wild: Distribution, Root Cause, and Real-World Impact CCF-C
    Shenao Wang, Yanjie Zhao, Zhao Liu, Quanchen Zou, Haoyu Wang
    The 17th Asia-Pacific Symposium on Internetware (Internetware'26) PDF
  2. [C17] Unveiling Large Language Model Supply Chain: Structure, Domain, and Vulnerabilities CCF-C
    Yanzhe Hu*, Shenao Wang*, Yuhan Tang, Tianyuan Nie, Yanjie Zhao, Haoyu Wang
    The 17th Asia-Pacific Symposium on Internetware (Internetware'26) PDF
  3. [C15] YASA: Scalable Multi-Language Taint Analysis on the Unified AST at Ant Group CCF-A CORE-A*
    Yayi Wang*, Shenao Wang*, Jian Zhao, Shaosen Shi, Ting Li, Yan Cheng, Lizhong Bian, Kan Yu, Yanjie Zhao, Haoyu Wang
    The ACM International Conference on the Foundations of Software Engineering, Industry Track (FSE'26) PDF Repo
  4. [C13] VDBFuzz: Understanding and Detecting Crash Bugs in Vector Database Management Systems CCF-A CORE-A*
    Shenao Wang*, Zhao Liu*, Yanjie Zhao, Quanchen Zou, Haoyu Wang
    The 48th IEEE/ACM International Conference on Software Engineering (ICSE'26) PDF Repo
  5. [C12] TaintP2X: Detecting Taint-Style Prompt-to-Anything Injection Vulnerabilities in LLM-Integrated Applications CCF-A CORE-A*
    Junjie He*, Shenao Wang*, Yanjie Zhao, Xinyi Hou, Zhao Liu, Quanchen Zou, Haoyu Wang
    The 48th IEEE/ACM International Conference on Software Engineering (ICSE'26) PDF Repo
  6. [J6] Survey of Storage Mechanism Security Threats for Large Language Models CCF-T1
    Liu Wang*, Shenao Wang*, Xinyi Hou, Jian Zhao, Rongxin Wu, Qiao Xiang, Yanjie Zhao, Yi Wang
    Journal of Computer Research and Development, in Chinese PDF
2025
  1. [C11] Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems CCF-A CORE-A*
    Miao Zhang*, Shenao Wang*, Guilin Zheng, Yanjie Zhao, Haoyu Wang
    The 40th IEEE/ACM International Conference on Automated Software Engineering (ASE'25) PDF
  2. [J3] MiniScope: Automated UI Exploration and Privacy Inconsistency Detection of MiniApps via Two-phase Iterative Hybrid Analysis CCF-A
    Shenao Wang, Yuekang Li, Kailong Wang, Yi Liu, Hui Li, Yang Liu, Haoyu Wang
    ACM Transactions on Software Engineering and Methodology (TOSEM) PDF Repo
    Also accepted by FSE 2025 Journal First Track
  3. [C9] Seeing is (Not) Believing: The Mirage Card Attack Targeting Online Social Networks CCF-C
    Wangchenlu Huang*, Shenao Wang*, Yanjie Zhao, Guosheng Xu, Haoyu Wang
    Proceedings of the 16th Asia-Pacific Symposium on Internetware (Internetware'25) PDF
  4. [J1] Large Language Model Supply Chain: A Research Agenda CCF-A
    Shenao Wang, Yanjie Zhao, Xinyi Hou, Haoyu Wang
    ACM Transactions on Software Engineering and Methodology, Special Issue: 2030 Software Engineering Roadmap (TOSEM) PDF Repo
2024
  1. [C6] CanCal: Towards Real-time and Lightweight Ransomware Detection and Response in Industrial Environments CCF-A CORE-A*
    Shenao Wang*, Feng Dong*, Hangfeng Yang, Jingheng Xu, Haoyu Wang
    The 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS'24) PDF
  2. [C5] Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs CCF-A CORE-A*
    Jian Zhao*, Shenao Wang*, Yanjie Zhao, Xinyi Hou, Kailong Wang, Peiming Gao, Yuanchao Zhang, Chen Wei, Haoyu Wang
    The 39th IEEE/ACM International Conference on Automated Software Engineering, Industry Showcase (ASE'24) PDF Repo

Full List →

🔗 Service

Reviewer

  • 2026: TIFS, IEEE T. Cybern.
  • 2025: TDSC, TOSEM, TOPS, EMSE

Sub Reviewer

  • 2026: USENIX Security, ASE, WWW, SIGCOMM
  • 2025: S&P, FSE, ISSTA, ASE, NSDI, AsiaCCS, PoPETs, IWQoS
  • 2024: CCS, FSE, ISSTA, WWW, IMC, Internetware, MSR, EASE, MobileSoft, SaTS, MobiLLM, LCTES

Publicity & Web Chair

  • LLMSC Workshop @FSE 2026
  • LLMSC Workshop @ISSTA 2025

🎤 Talks

  • 04/2026, Agentic Software Security: Current State, Opportunities and Challenges, invited by Ant Group
  • 04/2026, Towards Reliable Vector Database Management Systems, invited by TEST Lab @ NUS
  • 09/2024, Supply Chain Poisoning: From Open-source Software to Pre-trained Models, invited by CCF-ODC-OSS

👾 Experience

Education

  • 09/2019 - 06/2023, B.Eng., Xidian University, Xi’an, China.
  • 09/2023 - 06/2025, M.S.-Ph.D. Track Student, Huazhong University of Science and Technology, Wuhan, China.
  • 09/2025 - Present, Ph.D. Student, Huazhong University of Science and Technology, Wuhan, China.

Intern

  • 01/2024 - 02/2024, Research Intern, Ant Group (MYbank), Hangzhou, China.
  • 09/2024 - 09/2025, Research Intern, Jinyinhu Lab, Wuhan, China.
  • 08/2025 - Present, Research Intern (Static Analysis, working on YASA and UAST), Ant Group, Chengdu, China.

🏆 Honors & Awards

Awards

  • 2024 - Third Prize, Prototype Competition in ChinaSoft'24
  • 2023 - Bronze Award, National Innovation Competition
  • 2023 - Third Prize, Prototype Competition in ChinaSoft'23
  • 2022 - First Prize, National Digital Forensics Competition (19/764)
  • 2022 - First Prize & Most Valuable Award, National College Student Information Security Contest (2/728)
  • 2022 - Meritorious Winner, MCM/ICM (Problem A)
  • 2021 - First Prize, National Cryptographic Competition (16/121)
  • 2021 - First Prize, CUMCM in Shannxi Province

Honors

  • 2025 - National Scholarship, Ministry of Education of P.R. China
  • 2025 - SIGSOFT CAPS AWARD FSE/ISSTA 2025
  • 2024 - National Scholarship, Ministry of Education of P.R. China
  • 2024 - Huawei Scholarship (4 recipients among 700+ graduate students)
  • 2024 - Merit Student, Huazhong University of Science and Technology
  • 2023 - Outstanding Graduate of Shaanxi Province
  • 2023 - Outstanding Bachelor Thesis, Xidian University
  • 2022 - President Scholarship, Xidian University (5 recipients among 5,300+ undergraduates)
  • 2022 - National Scholarship, Ministry of Education of P.R. China (Top 1%)
  • 2022 - Xiaomi Special Scholarship (5 recipients among 5,300+ undergraduates)
  • 2021 - Excellent Student Cadre, Xidian University
  • 2021 - National Encouragement Scholarship, Ministry of Education of P.R. China
  • 2020 - Pacemaker to Merit Student, Xidian University
  • 2020 - Special Scholarship, Xidian University (Top 1%)

🐞 StarBugs

I have discovered some vulnerabilities in popular OSS. A selective list is shown below.

🌟 Grants

  • Detection of Supply Chain Poisoning
    Cybersecurity College Student Innovation Funding Program
    Funded by CSAC and DiDi, 2025.08-2026.06
  • Multilingual Program Analysis
    Cybersecurity College Student Innovation Funding Program
    Funded by CSAC and AntGroup, 2024.07-2025.04
  • Permission Abuse Detection in Android/iOS Apps
    Cybersecurity College Student Innovation Funding Program
    Funded by CSAC and NIO, 2022.07-2023.11 (Excellent Project [6/240])

© Copyright 2026 Shenao Wang. Last Updated: 13 Jun 2026