OSSF Malicious Packages#

The OSSF Malicious Packages repository is an open-source database containing reports of malicious packages identified across different open-source package repositories.

Scope#

Instead of listing unintentional weaknesses like CVEs, malicious packages focus more on intentional malicious patterns like typosquatting attacks, account takeovers, dependency confusion, or manifest confusion, just to name a few.

The OSSF explicitly defines malicious packages as those that, when installed or used, compromise system confidentiality, availability, and/or integrity.

Data Access#

Malicious packages can be accessed via the public GitHub repository, located in the osv directory. Additionally, the OSSF publishes up-to-date statistics on total malicious packages.

Malicious Packages in DevGuard#

DevGuard will be using Malicious Packages in the upcoming purl inspector: