Malicious Package Protection

A malicious package is a piece of code disguised as a legitimate software component but designed to harm systems or steal data. Unlike packages that only contain unintentional security weaknesses (vulnerabilities) that can potentially be exploited by bad actors, malicious packages are designed and propagated with malevolent intent.

The threat level to organizations of supply chain attacks in general, and malicious packages in particular, has been rapidly rising over the past few years. The numbers tell a disturbing story: Checkmarx’ AppSec research team has discovered more than 420,000 publicly available malicious packages (as of November 2024). 76% of CISOs are concerned about the dangers of malicious packages (Checkmarx survey, 2024). The average cost of a software supply chain compromise was $4.63 million, which is 8.3% higher than the average cost of a data breach due to other causes (IBM, 2023). It is imperative that CISOs and AppSec teams place more focus on this critical threat vector.

Checkmarx combines proprietary technology with a team of expert security researchers to effectively identify malicious packages. Our threat intelligence system performs automated tests to identify suspicious package behaviors, author reputation, and additional checks (secrets, code scanning, static analysis, etc.). When a package is flagged as potentially malicious, our security research team conducts a thorough manual review to confirm its malicious nature, and avoid false positives, before adding it to our database (and reporting it externally, when appropriate). On average, Checkmarx scans nearly 2 million OSS packages every month.

A few examples include data exfiltration (stealing sensitive information), harmful file download, network connection to domain address known to be used by attackers, crypto-mining software, repojacking (takes control of the repository of a legitimate package), typosquatting (mimics the name of a popular package, inducing users to inadvertently use this package), chainjacking (stores a package in a renamed GitHub repository), and protestware (software that includes functionality which aims to protest an issue).

The most effective way to prevent harm to your organization from malicious packages is to validate each package before it is installed. Beyond this, it is important to frequently scan all the OSS packages used in your applications and container images, to identify and remove/update any package versions that may have been flagged as containing malicious or suspicious code (note that most SCA solutions check for packages with vulnerabilities, but do not identify malicious packages). Other best practices include only using trusted repositories, only using OSS from reputable authors/maintainers, and keeping packages updated to the latest versions (so that you are benefiting from the most recent security patches). Learn more about Checkmarx’ SCA scan technology.

Bad actors tend to focus on widely used packages and widely used repositories. Prominent examples include distributing JavaScript npm malicious packages via the npm Registry, Python malicious packages via the Python Package Index (PyPI), .NET NuGet malicious packages via the NuGet Gallery, and all types of malicious software packages via GitHub Packages.