Malicious packages

Threat actors are increasingly targeting open source package registries by publishing malicious packages. These attacks exploit the trust and widespread use of these registries to distribute malware, compromising developer systems and build pipelines. Attackers employ sophisticated techniques such as typosquatting and starjacking to make their malicious packages appear legitimate. These packages often contain various types of malware including info stealers and remote access trojans.

How Trusty protects against malicious packages

Trusty integrates with OSV.dev, a distributed vulnerability database for open source software, to consume information about malicious packages. The OSV database aggregates information from multiple databases and centralizes it in the OpenSSF OSV format. Trusty consumes this information hourly to provide updated information about known malicious packages across the open source ecosystem.

Stacklok also uses an internal intelligence engine to detect potentially malicious packages as soon as they are published. Our team manually reviews these flagged packages before Trusty reports them as malicious. We also report confirmed malicious packages to repository maintainers for removal.

When you encounter a malicious package in Trusty, you'll see information about the type of attack and a link to the original OSV.dev report. This allows you to access all available information and make an informed decision about the package.