Home

Awesome

OpenSSF Malicious Packages

This repository is a collection of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

This project is closely related to the OpenSSF Package Analysis project.

About

Background

Attacks against open source ecosystems are gaining popularity. Typosquatting, dependency confusion, account takeovers, etc are happening more frequently each year.

While some protection can be found through various security solutions, there is no comprehensive database of malicious packages published to open source package repositories.

Objective

The aim of this project and repository is to be a comprehensive, high quality, open source database of reports of malicious packages published on open source package repositories.

These public reports help protect the open source community, and provide a data source for the security community to improve their ability to find and detect new open source malware.

Scope

What is in scope?

Out-of-scope:

Prior Work

Get Involved

Contribute Malicious Package Reports

See our contributing guide for complete details.

OSV reports via Pull Request

We accept new reports, and updates to existing reports.

We will also accept bulk imports via PR (please create an issue first).

Automated Sources

If you regularly produce high-quality detections with few false-positives, and have them accumulating in a database, we can automatically consume them as OSV from a cloud storage environment (S3, GCS).

Comms

Meeting Times

False Positives

While we do our best to ensure false positives are not present, they may be present in our dataset from time-to-time.

If you see a non-malicious package is flagged as malicious create an issue. Please include the following:

We will then either:

Note: support for handling false positives is TBC.

Governance

This work is associated with the Package Analysis project.

This project belongs to the Securing Critical Projects Working Group in the OpenSSF (Slack).

The working group's CHARTER.md outlines the scope and governance of our group activities.