Malicious Package Protection

A malicious software package is a piece of code disguised as a legitimate software component but designed to harm systems or steal data. Unlike packages that only contain unintentional security weaknesses (vulnerabilities) that can potentially be exploited by bad actors, malicious packages are designed and propagated with malevolent intent.

The threat level to organizations of supply chain attacks in general, and malicious packages in particular, has been rapidly rising over the past few years. The numbers tell a disturbing story: Checkmarx’ AppSec research team has discovered more than 420,000 publicly available malicious packages (as of November 2024). 76% of CISOs are concerned about the dangers of malicious packages (Checkmarx survey, 2024). The average cost of a software supply chain compromise was $4.63 million, which is 8.3% higher than the average cost of a data breach due to other causes (IBM, 2023). It is imperative that CISOs and AppSec teams place more focus on this critical threat vector.

Checkmarx combines proprietary technology with a team of expert security researchers to effectively identify malicious packages. Our threat intelligence system performs automated tests to identify suspicious package behaviors, author reputation, and additional checks (secrets, code scanning, static analysis, etc.). When a package is flagged as potentially malicious, our security research team conducts a thorough manual review to confirm its malicious nature, and avoid false positives, before adding it to our database (and reporting it externally, when appropriate). On average, Checkmarx scans nearly 2 million OSS packages every month.

The most effective way to prevent harm to your organization from malicious packages is to validate each package before it is installed. Beyond this, it is important to frequently scan all the OSS packages used in your applications and container images, to identify and remove/update any package versions that may have been flagged as containing malicious or suspicious code (note that most SCA solutions check for packages with vulnerabilities, but do not identify malicious packages). Other best practices include only using trusted repositories, only using OSS from reputable authors/maintainers, and keeping packages updated to the latest versions (so that you are benefiting from the most recent security patches). Learn more about Checkmarx’ SCA scan technology.

Checkmarx Malicious Package Protection detects:Malicious packages (intentional backdoors, exfiltration, cryptomining, protestware)Typosquatting attacks (packages named to mimic popular libraries)Dependency confusion attacks (internal package name hijacking)Account takeover publishes (legitimate packages compromised by attacker)Supply chain hijacking via CI/CD or build infrastructure

Checkmarx monitors all major package ecosystems including npm, PyPI (Python), Maven (Java), RubyGems (Ruby), NuGet (.NET), Go modules, Cargo (Rust), Swift Package Manager, Cocoapods, and more. Coverage is continuously expanding as new ecosystems gain adoption.

The database is built from multiple intelligence sources: proprietary research from the Checkmarx Zero security research team, automated behavioral analysis of new package publishes across registries, aggregated community and public disclosure feeds (CVEs, GitHub Advisories), and collaborative threat intelligence sharing with ecosystem partners. The database is updated continuously — new threats are typically added within hours of discovery.

Checkmarx integrates natively with all major CI/CD platforms — GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, and more. When a malicious or high-risk package is detected in your dependency tree, the build is blocked automatically with clear remediation guidance. Integration takes minutes via the Checkmarx One platform, and policies are managed centrally by your security team.

The Malicious Package Identification API (MPIAPI) is a REST API that provides programmatic access to the Checkmarx malicious package database. Developers and security teams can query any package name and version to receive an instant risk score, threat category, and recommended safe version. The API can be embedded in IDE plugins, custom security tooling, developer portals, or pre-commit hooks. Learn more at checkmarx.com/malicious-packages-identification-api.